During Build IT Together in May of 2015, Chris Czub gave a keynote on information security. In this first installment of a 3 part series, here’s a recap based on Chris’ presentation, calling out the fact and fiction of data security today.
Hollywood may conjure up abstract images of hackers crawling through air ducts, but just because real-world hacking isn’t dramatic that doesn’t mean it doesn’t come with its own drama. The average cost of a data breach has risen 8.8% from 2013-2014 and the cost per record has jumped 6.9%—up to $201—in the US in 2014. That means that for every record breached in your organization, on average you’re paying $201 to deal with it.
Although the most costly breaches are due to malicious attacks, the majority are usually human error and can be avoided, but some myths stand in the way. Luckily, we dispelled some of those myths during Build IT Together.
Security Fact and Fiction Quick Hits
Fact: Many hacks are facilitated by oversight of service operators. This is somewhat comforting—it means it can be addressed.
Fact: Ongoing internal and external risk-assessment can uncover problems.
Fact: Your organization needs to own and understand it’s security program.
Fact: An information security policy is a good step to address the reality of your security.
Fact: It’s possible to make hacking your organization very difficult.
Fiction: Today’s APTs require expensive threat intelligence feeds to understand.
Fiction: “Security” is a one-time expense.
Fiction: Spending a lot of money on security means you’re doing it right.
Fiction: There’s a magic box you can plug into your network and secure it all.
Fiction: You can be completely hack-proof.
General Security Fiction
1) Data Insurance means you’re a slacker
There’s a belief that data breach insurance policies indicate that an organization is slacking on their IT security costs. They’re actually MORE likely to have other proactive measures in place. Particularly to prevent increases to their premiums. In reality, shows that they’re thinking about information security and willing to spend money on it.
2) Users care about their own security
Microsoft did a study on user behavior, and the reality is that users don’t care about security. There’s not a good cost benefit to them, they find it boring and it requires them to change much of what their doing. It’s better to just make it transparent to them, and make allowances higher up in the chain.
3) Government hackers have better tools, so why protect myself?
There’s a false belief in a looming danger of Advanced Persistent Threats. There are government sponsored hackers targeting large corporations, but they’re bound by the same set of rules we are. If they find a simple oversight in your system, that’s what they’ll be taking advantage of.
How is your organization confronting information security? You can find Chris’ slides from the event here. Check out the next recap to see one simple step your organization can take towards becoming more secure.