There is no such thing as 100% security. Any company who believes that throwing fortunes at technologies that try to get rid of all threats, is setting itself up for failure.
“Rather than trying to prevent breaches only, companies should also focus on the ability to deal with them timeously to lessen the impact,” says Jayson O’Reilly, Director of Sales and Innovation at DRS.
He says today, most businesses have formulas and strategies to try to lessen risk, that weigh up threats, vulnerabilities and potential consequences, but says these are far from foolproof, as it is impossible to know about every threat and vulnerability out there.
“Businesses cannot rely on traditional security tools alone. Prevention, detection, mitigation are vital to protecting your systems, but companies must accept that breaches are going to occur, and plan for that eventuality accordingly. With approximately three pieces of malicious code written every second, the sooner a company accepts this, the better.”
O’Reilly says there is also the misconception that all threats warrant the same concern. “In truth, there are threats which are really no more than an annoyance, that you know do not pose a significant risk and can cause no real damage, and there are serious threats that must be treated accordingly.”
He says the problem is that too often, the more serious threats can get lost in the noise caused by all of the minor ones, and can slip through the net.
“A fine balance is needed here. The security team does not have the time or the resources to scrutinise each and every threat, but enough care must be taken not to miss the important alarms, and serious anomalies. The challenge is to find the balance and the suitable level of scrutiny that ensures persistent threats are identified and mitigated.”
He adds that predictive systems, which claim to be able to identify the next threat before it strikes, are also ineffective. “In reality, it is near to impossible to predict an attack by an unknown attacker, whose skills you are unaware of, and whose motives can at the very best be only wildly speculated on.”
According to O’Reilly, another belief that is causing organisations to fall short, is the belief that all vulnerabilities can be removed. “In reality, the common vulnerabilities and exposures list contains tens of thousands of vulnerabilities, with more being added every day. It is completely unrealistic to think that any business can guarantee that its network, which includes firewalls, hosts and suchlike, can possibly deal with tens of thousands of vulnerabilities.”
Because of all these factors, security practitioners must develop tools, strategies and best practices that work irrespective of the attacker, and which will mitigate a wide range of threats and scenarios, he says.
“A company’s best defence is in limiting the consequences of an attack. Formulate a strategy that relooks at the security myths, particularly the myth of in-depth defence. The environment is uncertain, make sure the business can handle any eventuality.”