You've invested in firewalls and your servers are patched. Clients are running updated anti-malware software and spam and phishing filters are turned up to 11 on your mail servers. Flash? Not running it. Role-based security measures? Implemented three years ago...of course. And BYOD? Only with approved AV and signed acceptable use and access policies. Your IT staff actually sleeps at night because you don't just have a security plan - You actually follow it.
Unfortunately, the reality for most organizations is a bit different. Smaller companies struggle to find the resources and the internal expertise to achieve robust security across the board, too often hoping that their smaller scale provides a degree of "security by obscurity". Even larger companies, however, often aren't where they need to be to protect their systems and their data. All of those data breaches that make for such flashy headlines occurred in organizations with dedicated security teams and extensive hardware and software solutions designed to lock down customer financial data, protected health information, and corporate IP. They're hardly mom-and-pops trying to keep kids from using their WiFi for free.
So if large corporations have the right components and human resources in place, why are they still getting hacked? The easy answer is that as systems become larger and more complex, it's easy to miss hidden vulnerabilities. Whether it's a misconfigured firewall, an unsecured wireless access point, or a new employee who clicks the wrong link, it only takes a small hole for an attacker to compromise major data stores.
Let's put this in context of something near and dear to many organizations' hearts: PCI compliance. PCI DSS lays out a number of security requirements for organizations that transmit, store, or process payment card information, which basically translates to everyone from small retailers to government agencies that accept credit card payments. The table below, published by the PCI Security Standards Council, lists the 12 defined requirements for PCI compliance.
"Requirement 11", specifies that organizations "regularly test security systems and processes". This testing, of course, is intended to find those vulnerabilities that open the door for cybercriminals.
Yet according to the 2015 Verizon PCI Compliance Report, interim assessments of PCI compliance improved across all 12 requirements - with the exception of requirement 11. Only 33% of organizations surveyed in the report were conducting appropriate tests of their security systems between regular PCI audits. The image below from the report paints a fairly stark picture of how organizations conduct (or rather, don't conduct) interim security assessments.
The end result is that organizations are leaving themselves vulnerable. Often, they don't conduct security audits on a regular basis because they are expensive and time consuming. Smaller organizations simply may not have the resources. But as the report explained,
"Many weaknesses are only picked up during vulnerability scanning as part of Requirement 11, which means organizations are always playing catch-up...Requirement 11 is fundamental to ensuring that the organization is prepared for the range of attack types reported in the 2014 DBIR. During post breach investigations we found that just 9% of organizations were compliant with this requirement."
The solution is simple enough in principle: Test, audit, test some more. Hire pen testers and professional auditors. The solution in reality can be more expensive, both financially and in terms of human resources than many organizations can manage.
Increasingly, though, the ability to secure your customers' data and your intellectual property aren't just legal requirements but competitive differentiators. And security might begin with implementing robust systems but it is maintained with regular audits and testing. Security plans that don't include these components are incomplete at best.