Was the Equifax breach finally the wake-up call that organizations needed?
Varonis conducted a survey of IT decision makers in the U.S. and Europe, wondering if large breaches like Equifax are redefining security postures. What they found is a disconnect between security expectations and security reality.
Nearly nine in 10 respondents said they are confident about their cybersecurity posture and are in a position to protect their organization from an impending threat, and another 85 percent said they have changed or plan to change their security policies and procedures in the wake of widespread cyberattacks, which is good, because nearly half believe that their company will experience a major security incident within the next year.
However, you have to wonder if they are truly that confident or if they are exaggerating their security posture and their internal security skills. The report also said this:
Attackers that successfully get onto a network can move laterally if access to information is available. Yet surprisingly only 66 percent of U.S. organizations and 51 percent of EU organizations fully restrict access to sensitive information on a “need-to-know” basis. . . . As shown with the DNC and Equifax breaches, attackers can get onto a network and spend weeks or even months stealing sensitive information before anyone knows they’ve been compromised. Despite these dangers, 8 out of 10 respondents in the EU and the U.S. are confident or very confident that hackers are not currently on their network.
Unfortunately, we don’t know what they base that confidence on, and that could spell disaster if it is falsely placed.
Michael Patterson, CEO of Plixer, told me in an email comment that he sees the results of this survey as good news/bad news:
The good news from this is that these executives are asking their security teams questions relating to preparedness. The bad news from this is IT teams are often fearful to expose weakness. Unless there is a culture of openness and a willingness to invest more time, people, and money, nobody really wants to respond with anything other than “we are prepared.” IT teams are fearful that exposing vulnerabilities will reflect poorly on them. There must be a shift of attitude from the boardroom all the way to the security operations teams acknowledging that prevention is impossible.
To be truly prepared, Patterson added, organizations need to have a well-defined incident response process and access to forensic data from network traffic analytics so that when an incident does occur, organizations are able to quickly understand all of the logistics of the breach and return the company to normal functions as soon as possible.
So to answer my opening question, was the Equifax breach the wake-up called needed? I think the answer is mixed. Yes, security decision makers are forced to look more closely at their security posture, but I think there is still a long way to go to really understand how to best protect the network and data.