It was 81 years ago this month that the French embarked on the most ambitious – and most expensive – security project in their history. The Maginot Line was a series of perimeter defenses that stretched over 900 miles, starting at their Southern border with Switzerland and stopping in the North at the Ardennes forest, close to the English Channel. Its grand design included various fortifications, observation turrets and machine gun posts, as well as an intricate communications infrastructure that gave the French the ability to communicate along the entire length of the defensive structure.
The Maginot Line was constructed due to the utter shellacking that the French took in World War I, roughly 15 years prior. The Germans were able to simply march across their shared border and establish occupation – the French did not have the security people, processes or technology to defend themselves at that time. In 1930, French military tacticians believed that the Maginot Line was the key to avoiding a repeat of that scenario.
We all know how that story goes.
Today we know that the Maginot Line is not what failed the French. The Maginot Line, for all of its weaknesses, was a gem of modern military design. Retractable turrets. Redundant communication lines. Flood zones.
What failed the French is a misunderstanding of their risks.
Earlier this week I was speaking with one of the largest health care insurance providers in the Northeast (nearly 1M members), and I asked the question – “how do you determine your security priorities?”. The individual that I was speaking with, who by the way seemed very competent in his own right, went on about their budget process, about ongoing security initiatives and about demands from various departments. Noticing that there was a critical component missing, I asked how the organization’s risk fit into the equation. His reply made me realize that organizations of all shapes and sizes, and security practitioners of all competency levels, are being forced into practices where risk is an afterthought.
Being in the trenches (sorry, World War I on the brain) every day, I see organizations make security decisions based on hysteria, hype, the budget, the pushy board member, the slick salesman or tradition and the way things have always been done. The result is daily data breaches and security incidents, increasing complexity in our infrastructures and a growing distrust of security – the people, the processes and the technologies. If we don’t learn from history we’re bound to repeat it.
Your security decisions, your risks. The enemy is at the gate.
The most recent Ponemon study reveals what we’ve all been dreading – just when it seems like things couldn’t get any worse, they manage to crash and burn. According to the popular survey, more than 90% of respondents have been breached, and more than 50% of those who have already been breached expect it to occur again. Not surprisingly, greater than 50% of those surveyed were “not confident in their security”.
On the surface it seems that one of three things is occurring:
- Attackers are widening the tactics and tools gap, despite the millions (maybe billions?) of dollars that are poured into security research and development every year. The reality is, hackers like Vladimir Levin don’t play by any rules, which gives them a distinct advantage.
- Those of us who are in the business of securing important assets aren’t doing a great job. We may be focusing on the wrong things, or poorly implementing the right things or just not doing anything because our message is ill-timed, ill-crafted, or both.
- CEOs, CFOs, business owners and other decision makers still don’t care about security. This happens for any number of reasons – some continue to believe that they have nothing of value, and are safely flying under attackers’ radar, and some are so deluged with databreach headlines that they are paralyzed by overinformation.
Of course we’ve all seen plenty of each.
Now certainly I recognize that these datapoints come from a single study, and although Ponemon is highly respected, it is still a single point in time. However, if you spend long enough in the trenches, you’ll see these statistics playing out across boardrooms, data centers and watercoolers in every corner of the country. Sadly, it looks like it’s going to get worse before it gets any better.
Have a great weekend.
GreyCastle Security was founded on the core principle that internal and external threats, misuse, organized cybercrime, system complexity, data breaches, hackers and vulnerabilities are growing at a far faster rate than organizations capable of dealing with them.
We read new headlines every day, and the stories have gotten closer and closer to home. The banks, grocery stores, school districts and fast food chains down the street have all been hit, and these are just the incidents that we know about. Russia, China and Eastern Europe are still turning out increasingly sophisticated cybergangs capable of crawling into networks, databases and bank accounts.
The United States isn’t far behind.
Malware variants and hacking tools are proliferating, and they are becoming increasingly difficult to detect, prevent and eradicate. Open source crimeware kits have given cybercriminals a fast, simple and effective way to create new malware – anyone can be a hacker.
Given the growing complexity of our networks, applications, hardware and software, it’s difficult to keep up with the mounting vulnerabilities that expose our critical assets and bring risk to our businesses. Add cloud computing to the mix, and you have a vast new set of moving parts to secure. Many industry experts see the current state of cyber-insecurity as a countdown to inevitable disaster.
We see it as a wakeup call.
Through all of the noise come a few simple truths:
- “92% of attacks were not highly difficult” – 2011 Verizon Business Data Breach Investigations Report
- “96% of breaches were avoidable by simple or intermediate controls” – 2011 Verizon Business Data Breach Investigations Report
At GreyCastle Security, we’ve proven that through a system of security fundamentals, you can reduce your risk and protect your sensitive assets.
We look forward to partnering with you on your next security initiative.
Welcome to the GreyCastle Security blog!
Subscribe and get the latest information security news, tactics, tips and procedures. If you run a business in New York’s Tech Valley, you’ve come to the right place for security and compliance guidance.