If you follow the news, you may have seen that Hyatt discovered a breach last year, and disclosed the extent of it as they understand it. Data breaches are a fact of life, and folks too often wait for something to happen before they address systemic issues in their organization. Security is a cost center, not a profit center, and it will take a back seat the same way you might cut other corners as you rush to that next milestone. Worse, security often puts the breaks on those very things that you are rushing to accomplish. Pen tests and vulnerability scans cost money. And they turn up issues. And those issues require your organization to spend time and even more money mitigating them instead of running the business.
The Verizon Data Breach Investigations Report from 2015 tells us they evaluated nearly 80,000 incidents in 2015, and more than 2000 of those were confirmed data loss events. A lot of targeting of the attacks, and a lot of data gone missing, and those are just the ones Verizon knows about. One fact jumped out at me from this report:
- 99.9% of the attacks were exploited from known vulnerabilities where the CVE was at least a year old.
If you have waited to evaluate your company’s security infrastructure, now would be a good time to do whatever you need to do to get that in the budget and on the schedule.
Do you have robust patch management? Do you regularly scan your systems for compliance? When was your last penetration test?
Developing solid policies and procedures, including a regular evaluation of your posture, is a good start to avoiding being the next one in the news.