In IT security, sometimes it’s what you don’t know that hurts you – but sometimes it’s what you already know but never get around to acting on.
Startlingly, a full 89 percent of security breaches in early 2013 would have been avoided merely by implementing commonly known security controls and best practices, according to a 2014 study cited by Peak 10 security partner SilverSky. Many organizations probably have a nice checklist of security actions they mean to get around to, but just haven’t had the time.
But then there are the security measures you just don’t know about. Maybe you have the best hardware and software tools, but they’re not configured to resist the latest hacker tricks. Or maybe a new threat emerges that nobody saw coming. Remember the “Heartbleed” bug? Even though this SSL bug had existed since December 2011, nobody identified it as a threat vector until April 2014.
Either way, the impact of mismanaged security is dire. Verizon’s 2014 Data Breach Investigations Report , inspecting 63,000 incidents in 95 countries, will quickly get your attention. A couple of key observations:
- Although 60 percent of breaches are for financial reasons, intellectual property and espionage incidents are a growing threat at 25 percent.
- The speed with which hackers perform their exploits is consistently outstripping the pace of discovery.
- The biggest categories of breaches involving actual theft of data are web app attacks (35 percent) and cyber-espionage (22 percent).