Weathering An Insecure World

Next: What is a Data Fingerprint?
Previous: Fast Detection Makes All the Difference
As industry undergoes a shift in mindset, enterprises are struggling to catch up.
Writer Emily W.
October 26, 2015

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

Information security is in the midst of a major shift. What had been a purely technical, defensive, IT problem is now a whole-organization risk management problem. As the industry undergoes this wholesale shift in mindset, enterprises are struggling to catch up.

Until a few years ago, an enterprise could approach information security technically: by installing a few defensive products from reputable vendors, an organization could feel relatively secure in its perimeter and would be understood by its investors, partners, and customers to have taken adequate precautions.

This is no longer the case. The sophistication of threats and the breadth of attack surfaces have increased in a way that means sensitive information is always at risk.

As that realization spreads throughout the industry, it is bringing with it an understanding that defense, while necessary, is no longer sufficient. The question is, if that’s the case, what’s next, and how do we think about the problem?

A Risk Management Problem

At the simplest level, managing most risks comes down to getting the basics right, implementing a few clever tricks on top of that, remaining vigilant, and having a remediation plan in place. If you think of preparing for a flood, there is some level of storm that any well-built structure should be able to withstand. Then there is some more severe flood that a structure can withstand if its occupants are willing to undergo a certain level of inconvenience. And finally, there are some storms that no amount of preparation can prepare a building for – its occupants must be prepared for this eventuality, and have an exit plan, a cleanup plan, and, ultimately, insurance.

It is simultaneously impossible to assume complete safety and foolish to do nothing. The basics will protect against 90% of storms, and some more advanced precautions will cover 9% of that last 10%. The last 1% is all about preparedness and remediation, and it’s the 1% that the industry is still wrestling with how to address.

Start with Basic Precautions

First, maintain a realistic perspective of damage and preparedness. No one counts the impact of a storm by the number of individual rain drops. Five malware events occur every second: that’s not the most useful way to think about protecting information. Organizations should use their time and resources to create a security infrastructure capable of withstanding a high-impact event, rather than becoming overwhelmed with the possibility of a few drops.

Second, prepare for events before they occur. In the same way that you would patch your roof ahead of a hurricane, organizations need to assess, identify, and address vulnerabilities before a data breach occurs. Of the vulnerabilities exploited last year, 99% were compromised more than a full year after patches that would have prevented the breach had been issued. Any structure expected to withstand even the most rudimentary of storms requires preventative maintenance.

Third, organizations must take proactive steps to be aware of their surroundings. On average, it takes organizations 206 days to discover a breach. As a homeowner, you would not ignore the sound of dripping water from January until July - you would check for an open window.

Being proactive is where Matchlight comes in. With Matchlight’s proprietary technology, organizations can detect the appearance of their private information on the web in minutes or seconds, rather than after months or years of exposed information.

Ultimately, there are times when a storm will damage your home. But with the proper preparation and a proactive posture, organizations can limit the damage and remain resilient.

analysis March 20, 2019
Trends and Projections: Shifting Law Enforcement

For the first post in the Trends and Projections series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised...

analysis January 24, 2019
Collection #1: Why You Should Care but Not Panic

January is not yet over and 2019 has already brought us the second biggest collection of stolen data in history. Unlike traditional data breaches, Collection #1 is actually a massive collection of smaller credential...