If you go back to
Myth #1, most of the businesses that suffered a data breach had the best
hardware. It didn’t stop the bad guys.
The Verizon 2012
Data Breach Investigations Report has some really enlightening statistics about
the timing of data breaches. Most compromises happened within minutes of
initial attack, and data exfiltration happened within minutes of
compromise. But detection of the compromise didn’t happen for months, and
containment took weeks after that. And many of these breaches happened to
companies with all the best hardware.
The thinking
underpinning this myth is that as technology created the problem, it can also
solve it. As most of these technical systems are scoped, implemented and
managed by capable technologists, they are unfortunately blind to the
truth. Information Security is a People Business. It’s not about
the technology. It’s never been about the technology.
People are the
easiest system to attack, and people can subvert any security control. And
much to the annoyance of the technologists, they can’t be patched, and they
can’t be upgraded!
Hardware provides
a solid platform, and without it security isn’t possible. But policy,
configuration and management trump functionality every time. Many
businesses focus too much on capex and so will overspend on the former, and
underspend on the latter.
