Is IT Security Just an Illusion?

A recent survey by the Ponemon Institute found that the threat from cyber attacks is nearing statistical certainty -- 90 percent of U.S. businesses were hit by at least one security breach in the last 12 months. Almost one in two said there was a significant increase in the frequency of cyber attacks over the past year, and 77 percent said attacks are more severe or difficult to contain.

So is security just an illusion? Is it possible any longer to truly be secure, or is all corporate data only one click away from walking out the door?

Ponemon Institute chairman and founder Larry Ponemon said, basically, yes. “When we think about our endpoints, like cell phones and smartphones and tablets and notebooks, these things are getting very hard to secure completely,” he said.

Similarly, Bob Walder, chief research officer at security research firm NSS Labs, said breaches are all but inevitable. “We have to accept that it’s going to happen, no matter what defenses we put around our network. All the firewalls and IPSes in the world are not going to stop these guys if they really want to get into your network.”

So rather than seeking an impossible level of perfect security, Walder said, the answer lies in active monitoring. “Know what your network traffic should look like, monitor for anomalies, and track those back and figure out exactly what’s going on … good security is about minimizing the risk, realizing what risk you are still exposed to, and monitoring where that risk may be exploited,” he said.

One mistake many companies make, Walder said, is to equate regulatory compliance with security.

“Most smaller businesses will go through the motions of becoming compliant. They’ll install a UTM [unified threat management] or a firewall at the perimeter of their network and then they can just check a box, and they’re certified as complaint. But, compliance doesn’t guarantee security, it just means you’ve got a piece of paper with a few ticks on it.”

Edward Hamilton, head of Information Security and Assurance at research firm Analysys Mason, said the biggest security risk ultimately lies in a company’s employees. “Most security breaches still happen because of your employees doing something silly, like leaving a laptop on a train or accidentally e-mailing the wrong document to the wrong people."

And so, security breaches of some kind are unavoidable. “All you can do is have in place the right technology, processes and training to try and minimize the impact of them, be able to detect when you’re losing data, and have the team in place to rectify that and close down the loophole as quickly as possible,” he said.