The term Assumption of Breach (AOB) was coined a few years ago in IT Security to express the reality that your company cannot possibly hope to avoid every potential breach that you could face. We see more and more every day the rapid evolution of tactics and techniques used by hackers to penetrate corporate networks and steal client data, corporate data, and intellectual property at an alarming pace. It seems AOB is no longer a concept or a theory as much as it is becoming a fact of life. But how far can we safely take this assumption?
Proponents have applied AOB to mean “it’s not if but when” your company will experience a breach. That is probably true – the statistics are staggering: in the US, over 600 million records containing personal information have been stolen in about 4,000 reported security breaches since 2005. We also know that, beyond these stats, many breaches go undetected or unreported. So what does this mean for your company? How should you respond to these frightening numbers?
Deal With it When it Happens
Avoidance is a common response. Executives and Boards become overwhelmed by the work or expense they think complianceand/or security will require and the strain it will put on budgets and operations. Or they become overwhelmed by constant news of new threats, new breaches, stolen data, regulatory fines – lions, tigers, and bears! Panic and indecision, avoidance and delay, replace positive, realistic action that could prepare the company and mean the difference between an inconvenient security event and a devastating breach.
In the Tampa Bay area where we are located, despite many warnings and close calls, there has not been a significant hurricane in decades. This breeds a dangerous complacency. The same happens in security. When we hear almost daily of a new breach with millions, even billions, of records stolen and we are urged again to change all our passwords immediately…most of us just don’t bother.
Needless to say, I cannot recommend a response characterized by avoidance or complacency. There is a better way to apply the Assumption of Breach concept.
Prioritize What We Really Must Protect
This is a business reality. In the short term, few companies can afford to address every risk or make every improvement that they would like to make A thorough risk analysis is intimidating to many organizations because they are afraid they will be confronted with more than they can reasonably address. This is not a reason to avoid assessment. Ignorance is certainly not bliss. A comprehensive assessment can actually help your organization make smart decisions and craft a reasonable plan for addressing vulnerabilities or areas of weakness over time. You can prioritize the most critical issues that need to be addressed and ultimately save your company from making random improvements that may or may not move you closer to compliance or to better security.
Do Our Best to Prepare
Have a Plan for Improvements
The vulnerabilities revealed by your risk assessment are not meant to give you nightmares. This information should empower your company to make a plan to systematically address the easiest gaps to fill and to focus available resources on the most critical areas.
Have a Plan for an Incident
Weaknesses you identify, especially those that cannot be addressed immediately, provide the perfect starting point for an Incident Response Plan to prepare your team for a possible problem in those areas. Having a tested response plan and a team that is trained and prepared to implement the plan could greatly reduce the damage you would suffer from a breach or an attack.
Address the Avoidable
While you cannot address every identified risk and you probably cannot even identify all the potential risks, you can pinpoint the obvious ones. Research recently released from the Ponemon Institute, revealed that 24% of the security incidents experienced by utility companies in the last year were due to an attack or negligence from the inside. This same study revealed that, only 6% of the companies trained their employees in cyber security. Start first by controlling what you can control. Security and compliance training, clear and enforced policies and procedures can put a real dent in your company’s risk before you even begin to worry about outside threats. This is the low-hanging fruit of IT Security.
The better response…
Prepare as best you can. You may not be able to make all the remediation or improvements that you would like to make or address all the vulnerabilities revealed by your risk assessment right now. But don’t let that stop you from doing something. Following a risk assessment conducted by Loricca, our experts help clients prioritize what can be done relatively easily now, what must be done now, and then outline a plan moving forward for addressing gaps in security and/or compliance over time. This puts the company on the right track, guides them to take proactive action, and systematically mitigates the risks they may be facing. Your network and your data may not be 100% secure overnight, it may never really be – but it can a great deal safer almost immediately and more easily than you think.
