Imagine someone knowing a hurricane is heading their way, yet they do little more than board up the windows to protect themselves.
In effect, that's what nearly half of companies do to protect their networks from attackers. After surveying how organizations are handling prevention, a September SANS report, Data Breaches: Is Prevention Practical, concludes that although most respondents know of many preventative cybersecurity measures, they only implement a few. Less than 40 percent of respondents surveyed have implemented "business measures" that more than 50 percent of respondents consider preventive. Business measures are those tied to the mission of an organization, providing visibility into its security posture and its approach to risk analysis and management. Most respondents said they consider robust testing, development plans and procedures as preventive, but only half said they have implemented these architectural measures.
That disconnect between understanding and implementation may seem counterintuitive, especially in the world of cybersecurity. However, as the report stated: "Apparently, respondent experience with a measure shows a certain disenchantment with a measure's ability to prevent. Although more than 80 percent (around 81 percent) of respondents have implemented technology that blocks known malware and vulnerability exploits, slightly less than 50 percent consider these technical measures effective."
That means around 19 percent of respondents aren't using technology to block threats. That less than 50 percent of respondents said they consider preventive technology to be effective shows that there is a fundamental misunderstanding around security. Perhaps these organizations are looking for the perfect solution that guarantees no breaches, but -- just as in life -- there are no guarantees in security. However, that's no excuse for giving up. Securing a network is like dressing for war where temperatures hover around 25 degrees below zero. Simply wearing gloves won't protect you. Neither will just wearing an undershirt. The cold, wind and rain are going to hit you from all sides, so you must protect your head, hands, feet, your entire body, and dress in many layers to protect yourself. There may be a bare minimum dress rule dictated by the military, but if you want to stay as warm as possible, you need to focus on staying warm rather than just meeting the minimum requirements. The same goes for being in compliance with regulatory requirements. Just being in compliance is not enough to secure a network. When you secure your network, you will meet compliance requirements.
Companies that don't take preventive measures because attackers can get in anyway don't seem to understand that they must take numerous precautions to secure their networks. If you're out in sub-freezing temperatures all day, you'd better dress in many layers, and bring first aid solutions, like thermal hand and feet warmers just in case you get frost bitten. You don't give up and say, "To heck with it. It's 25 degrees below freezing and I'm doomed."
Just like gloves won't always protect your fingers, security preventions won't always protect your network. That's why you have detection technologies and security analysts working for you when your prevention technologies fail. With Advanced Endpoint Threat Detection and 24-hour network monitoring, you can quickly spot enemies before they can access your most valuable data.
There is no point where your network is absolutely secure, just as there's no point where your body is absolutely safe when you're fighting a battle in sub-freezing temperatures. Security is war, and you can't just give up. It takes layers of security to fend off the enemy, but you can stop them. At SecureWorks, we do that every day.