September 21, 2016

min read

Only Paying Attention to Big-Name Hacks? You May Be Missing the Point

Security professionals are more likely to pay attention to breaches if the companies being breached already have recognizable names.Seems like common sense. You see a headline that says, “Target point of sale technology hacked,” you’re much more likely to pay attention than, “Hospital in Kentucky suffers from ransomware attack.” Unless you live in Kentucky.

Security teams that do this, however, might be missing the big picture of how broad security incidents are and how they don’t just impact top names — everyone is at risk.

Lower profile attacks may impact how you respond

Lookout recently surveyed enterprise IT security professionals (see methodology below) to understand how breach headlines impact them and how they respond. We found that these professionals clearly knew about the big household name security incidents: Apple, Target, Sony. When it came to the OPM attack that impacted millions of Americans, the ransomware attacks that have put real lives at risk, and the Snowden revelations, these IT security professionals were much less informed.

How enterprises react

Typically, enterprise IT security professionals will check their own protocols after a significant breach makes headlines. They may increase their own security spend, invest in training their staff, and increase spend on employee education programs and mobile security.

This is because IT security teams tend to believe their biggest weaknesses are their employees — specifically, their employees’ weak passwords and mobile devices.

Not surprisingly, the Sony, Target, and Apple security incidents spurred IT security professionals into action the most.

Why is this concerning?

Why would we be worried when and how enterprises are responding to breaches? The answer is “fatigue.” There are a lot of breach headlines out there in the news today. Take a week and try to spot a headline about a hack everyday, you’re likely not going to have a hard time. This means that many enterprise IT security professionals are only paying attention to the breaches that have the most brand recognition, potentially ignoring a wealth of other breaches that may provide important cautionary tales.

The survey data reveals that those with “VP” and executive titles are more attuned to these headlines than director or manager titles as well. This means the day-to-day operations employees are not as engaged with the real-life attacks happening in the market today that could impact them.

The fatigue translates internally, as well. IT security professionals are often inundated with incident alerts from their security technology solutions that they sometimes go numb to them, which is understandable. Target, for example, revealed that its security technology did detect the malicious activity that led to its major point-of-sale breach, but chose not to act on it, as reported by Reuters. Target explained in a statement, “With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different.”

Recognizing that we have a tendency to pay attention to only those events that seem loud and noteworthy is the first step to avoiding fatigue trouble.

Why enterprises should brush off fatigue

The sheer number of important security incidents is a key metric for IT security teams today. IT security professionals must not fall into the trap of thinking, “Well, my company isn’t Target, so I don’t have to worry.” It’s natural to pay attention to those breaches that impact household names, but it may distract from a greater truth: it’s not just big brands that get breached.

Security through obscurity only works for so long. If you have information that an adversary wants — whether you think it’s “interesting” enough or not — your organization is at risk.

Read the full report here.

Survey methodology

An online survey was conducted to a panel of potential U.S. respondents. The recruitment period was July 7, 2016 to July 22, 2016. A total of 500 respondents completed the survey (excluding terminates and abandonments). All respondents were 18 years of age or older, employed at a company with 1,000 employees or more, a decision maker or involved in decision making process as related to IT security, and had a title level above intern, entry level, analyst/associate. The sample was provided by Market Cube, a research panel company. All were invited to take the survey via an email invitation. Panel respondents were incented to participate via the panel’s established points program. The margin of error is 4.4%.

Newspaper image via Jon S./Flickr