What Do the Cyber Attacks of 2015 Tell Us About the Current State of IT Security?

Cybersecurity continued to be a problem for many companies in 2015, with several large financial institutions, retailers and insurance companies admitting to damaging breaches worth millions of dollars. The rise of cyber attacks is most likely here to stay. The attacks tell you three things about the current state of the IT security industry:

The industry as a whole is still not well positioned to defend itself.

A successful security initiative is an investment for companies of all sizes. A functional security organization requires a commitment to changing internal behavior and an investment in technology and human capital. For companies that have historically underinvested in security initiatives, they will feel the burden more than ever.

Companies are becoming more aware of the need for security and its effect as a business enabler, but as G.I. Joe once said, “knowing is only half the battle.”

Companies still have a very hard time doing the security basics.

Implementing general security best practices, such as the SANS Top 20 Critical Security Controls for Effective Cyber Defense, can prove to be difficult for most companies.

Although this sounds easy, it becomes exponentially harder the larger the company is as there is more to protect. Unless we change our strategy from protecting everything on the network to protecting only the business critical systems and data, firms will continue to struggle with even the basic security controls.

No matter what you do, if an attacker really wants into your network and access to your data, they will get in.

The best companies can keep the opportunistic attacker out of their network but a motivated attacker will generally always get in. Companies need to have a plan and be ready when their walls (perimeter) have been breached. What really separates the good companies from the great ones is their ability to respond and manage this risk.

As we transition into 2016, it’s important for companies to start with the basics in their security plan, and scale from there. Invest now in the right measures necessary to protect and respond to threats.