The Online Trust Alliance (OTA) recently published s 2015 Data Protection Best Practices and Risk Assessment Guides. Based on their analyses, the OTA finds that over 90% of data breaches that occurred in the first half of 2014 could have easily been prevented.
This assertion draws a direct cause-and-effect between risk and mitigation: if an organization that experienced a breach had done a risk assessment and through this, had identified a vulneraility (anything from an employee who is lax and loses a device to a software vulnerability that goes unpatched and is exploited), and had then mitigated the risk, the outcome would be that nine out of ten data breaches could have been prevented.
It's important to temper the statistics with one practical reality: statistics alone cannot distinguish between motivated or opportunistic attacks.
A motivated attacker, when thwarted from accomplishing a breach, will continue to look for other means or opportunities.
Risk assessments can factor motivated attackers into the risk equation, but identifying motive is becoming increasingly difficult as the incentives for commercial, state, and even former notoriety-seeking attackers have increased. The axiom, "Know your enemy" is rapidly devolving to "Trust no one". The latter is more complex and expensive to contend with.
Knowing that you must contend with motivated attackers may affect whether you determine a risk as MEDIUM to HIGH, or whether you choose to mitigate or eliminate a threat; moreover, knowing that you have attackers who won't be easily deterred may force you to implement measures that go beyond conventional best practices, at greater expense.
I encourage OTA and other proponents of risk management to raise awareness of the evolution of attacker landscape and to incorporate "contending with motivated attackers" into awareness raising guides or collateral.
Comments
You can follow this conversation by subscribing to the comment feed for this post.