Myth #3: We have the best hardware
We have the best hardware. We have firewalls from more than one vendor. We have anti-virus appliances at the gateway. We have excellent logging capabilities. We’ve just implemented a data loss prevention solution. And we’ve had the smartest engineers hook it all up. Of course we are secure, our vendors told us so!
If you go back to Myth #1, most of the businesses that suffered a data breach had the best hardware. It didn’t stop the bad guys.
The Verizon 2012 Data Breach Investigations Report has some really enlightening statistics about the timing of data breaches. Most compromises happened within minutes of initial attack, and data exfiltration happened within minutes of compromise. But detection of the compromise didn’t happen for months, and containment took weeks after that. And many of these breaches happened to companies with all the best hardware.
The thinking underpinning this myth is that as technology created the problem, it can also solve it. As most of these technical systems are scoped, implemented and managed by capable technologists, they are unfortunately blind to the truth. Information Security is a People Business. It’s not about the technology. It’s never been about the technology.
People are the easiest system to attack, and people can subvert any security control. And much to the annoyance of the technologists, they can’t be patched, and they can’t be upgraded!
Hardware provides a solid platform, and without it security isn’t possible. But policy, configuration and management trump functionality every time. Many businesses focus too much on capex and so will overspend on the former, and underspend on the latter.
That makes this myth busted.
Phil Kernick Chief Technology Officer