It’s a common misconception that big banks, government, and healthcare companies are secure from hackers. Conventional wisdom would say that people who have the most sensitive information should be the ones that have the best security, but the issue is that good security comes from good technology practices. In other words, really secure organizations pay regular attention to software and hardware maintenance, monitoring, testing and upgrades.
Security implementations are based on a sliding scale. On one end you have top level security, which creates a huge inconvenience for an organization and its members. On the other end you have very little or no security, which results in almost no inconvenience. Security is never absolute, and any organization must decide where they fit best on the scale so that the level of security and convenience or inconvenience mesh with the risk they are willing to take.
Even though large companies are spending big bucks on protecting their data, the 2015 Verizon Breach Investigations Report shows that over 50% of breaches take beyond just a few days to discover. Fewer than 6% of these attacks are ever revealed and discovered by the companies themselves, and instead are reported on by outside security specialists, often in some quarterly evaluation. Clearly, spending money alone is not a true solution to correct the problem. In some of the most famous and significant attacks in the last few years, the breaches went unnoticed for many months:
- Goodwill: 18 months
- Michaels: 8 months
- Home Depot: 5 months
- Neiman Marcus: 5 months
- JP Morgan: 2 months
At the very least, the money that is being spent on security should be in setting up more frequent audits. In addition, if these businesses focused on a proactive security strategy, rather than reactive, they would have much better results. Many companies only suffer one major security breach and then finally prioritize standards to prevent future breaches. However, if they have valued high security standards from the beginning, many major breaches may be avoided.
The businesses that do seem to get it right, are businesses that are on the bleeding edge of technology such as Facebook, Twitter and Google. Even relatively small businesses that are heavily invested in technology understand the importance of security and prioritize it as such. Tech businesses rely, almost entirely, on the stability and security of their underlying software. If all organizations were under the impression that a single data breach could bankrupt their business, many would be incredibly secure and breaches would occur far less often.