[BreachExchange] Enterprises: Only paying attention to big-name hacks? You may be missing the point

Wed Sep 21 17:47:31 EDT 2016

https://blog.lookout.com/blog/2016/09/21/breach-fatigue/

Security professionals are more likely to pay attention to breaches if the
companies being breached already have recognizable names.

Seems like common sense. You see a headline that says, “Target point of
sale technology hacked,” you’re much more likely to pay attention than,
“Hospital in Kentucky suffers from ransomware attack.” Unless you live in
Kentucky.

Security teams that do this, however, might be missing the big picture of
how broad security incidents are and how they don’t just impact top names —
everyone is at risk.

Lookout recently surveyed enterprise IT security professionals (see
methodology below) to understand how breach headlines impact them and how
they respond. We found that these professionals clearly knew about the big
household name security incidents: Apple, Target, Sony. When it came to the
OPM attack that impacted millions of Americans, the ransomware attacks that
have put real lives at risk, and the Snowden revelations, these IT security
professionals were much less informed.

How enterprises react

Typically, enterprise IT security professionals will check their own
protocols after a significant breach makes headlines. They may increase
their own security spend, invest in training their staff, and increase
spend on employee education programs and mobile security.

This is because IT security teams tend to believe their biggest weaknesses
are their employees — specifically, their employees’ weak passwords and
mobile devices.

Not surprisingly, the Sony, Target, and Apple security incidents spurred IT
security professionals into action the most.

Why would we be worried when and how enterprises are responding to
breaches? The answer is “fatigue.” There are a lot of breach headlines out
there in the news today. Take a week and try to spot a headline about a
hack everyday, you’re likely not going to have a hard time. This means that
many enterprise IT security professionals are only paying attention to the
breaches that have the most brand recognition, potentially ignoring a
wealth of other breaches that may provide important cautionary tales.

The survey data reveals that those with “VP” and executive titles are more
attuned to these headlines than director or manager titles as well. This
means the day-to-day operations employees are not as engaged with the
real-life attacks happening in the market today that could impact them.

The fatigue translates internally, as well. IT security professionals are
often inundated with incident alerts from their security technology
solutions that they sometimes go numb to them, which is understandable.
Target, for example, revealed that its security technology did detect the
malicious activity that led to its major point-of-sale breach, but chose
not to act on it, as reported by Reuters. Target explained in a statement,
“With the benefit of hindsight, we are investigating whether if different
judgments had been made the outcome may have been different.”

Recognizing that we have a tendency to pay attention to only those events
that seem loud and noteworthy is the first step to avoiding fatigue trouble.

The sheer number of important security incidents is a key metric for IT
security teams today. IT security professionals must not fall into the trap
of thinking, “Well, my company isn’t Target, so I don’t have to worry.”
It’s natural to pay attention to those breaches that impact household
names, but it may distract from a greater truth: it’s not just big brands
that get breached.

Security through obscurity only works for so long. If you have information
that an adversary wants — whether you think it’s “interesting” enough or
not — your organization is at risk.

Read the full report here.

Survey methodology

An online survey was conducted to a panel of potential U.S. respondents.
The recruitment period was July 7, 2016 to July 22, 2016. A total of 500
respondents completed the survey (excluding terminates and abandonments).
All respondents were 18 years of age or older, employed at a company with
1,000 employees or more, a decision maker or involved in decision making
process as related to IT security, and had a title level above intern,
entry level, analyst/associate. The sample was provided by Market Cube, a
research panel company. All were invited to take the survey via an email
invitation. Panel respondents were incented to participate via the panel’s
established points program. The margin of error is 4.4%.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160921/bfbbaeef/attachment.html>