back to article If your org hasn't had a security incident in the last year: Good for you, you're in the minority

Nearly seven in eight CTOs and CIOs have admitted to their businesses suffering a data breach, according to a survey. Threat intel biz Carbon Black reckons that of the 250 CTOs, CIOs and CISOs it surveyed earlier this year, 84 per cent admitted to some form of security breach within their organisation. This compares with 88 …

  1. Tom Paine Silver badge

    Definition

    As the piece says, "data breach" is a moveable feast, or to put it more precisely, "marketing guff". An ankle-biter malware infection is a system compromise is a breach?

    That said, $employer is one of the 5%. Clearly, we must have state of the art technology and a fine staff of highly skilled an experienced developers and engineers looking after all the shizzle.

    < /deadpan >

  2. Cederic Silver badge

    Not strictly true

    If your org hasn't had a security incident in the last year, it just means that you haven't spotted it yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not strictly true

      Exactly this...

      Or, the companies are outright lying.. as the great Kevin Bloody Wilson puts it "if you say you don't w*nk your liar"

      1. RichardB

        Re: Not strictly true

        and a fool if you say that you do.

      2. Michael Wojcik Silver badge

        Re: Not strictly true

        I don't even have a liar.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not strictly true

          Mine lies all the time.

  3. Anonymous Coward
    Anonymous Coward

    The (almost) Inevitable

    Problem with this is that no-one counts or publicises the failed hacking attempts (except for the security companies) and no-one gets a medal for keeping hackers out.

    The attack surface is so great these days that it is almost inevitable that, over time, an organisation gets hacked. And that grabs the headlines.

    Liked the caption under the photo: "A proud CIO boasts that his org hasn't been hacked". What a way to throw down the gauntlet!

    AC, well, because...

    1. Halfmad Silver badge

      Re: The (almost) Inevitable

      That's because they'd be generating work for themselves, what counts as a "hack attempt"?

      Honestly I've bigger worries at this point than generating more stuff for the C-Suite execs to hit me over the head with.

  4. 0laf Silver badge
    Childcatcher

    "Details of exactly what constituted a "breach" were not made available by Carbon Black". Then their publication is really pretty meaningless. I don't doubt that 84% (probably low) have had a breach of some sort but the majority will have a fairly negligable impact.

    In terms of data you can have breaches and/ or incidents which many / or may not be the same as a security incident.

    It's really lies, damned lies and statstics

  5. Persona Bronze badge

    Doris in HR

    "...…….. Keep training your staff, folks."

    No matter how hard you try to train Doris she will still click on those links. Doris constantly receives unsolicited emails from people who want to work for her firm. It's her job to open and read them. If they contain a link to some information that the candidate wants to highlight to show why they are right for the job she has to make the decision between doing her job and doing what the IT Security trainer told her. She clicks it every time even if it has all the classic hallmarks of a badly orchestrated phishing attack. If you disable links in her email client she will discover a dozen different ways to get to the place the link points.

    1. Anonymous Coward
      Anonymous Coward

      Re: Doris in HR

      Sounds like it's time to get Doris a Linux install with a Windows skin.

      1. Peter2 Silver badge

        Re: Doris in HR

        And if you assess the user requirements and come to the conclusion that the user only needs the ability to run programs installed by IT, and that random programs downloaded from the internet are quite likely to be unsafe and then remove the ability for the user to execute executable code that is unsigned or not in a trusted location (that the user has no write access to, such as %windows% & %program files% then regardless of how hard the user tries to compromise their PC they can't cause a security breach.

        I'm one of the 5% still bemusedly wondering why everybody else insists on training users to not click on links instead of just removing their ability to do anything harmful when a user clicks on a link. Same with .exe files being emailed in; just quarantine them! Delivering them and then relying on users not opening them is idiotic.

        1. Michael Wojcik Silver badge

          Re: Doris in HR

          Agreed, more or less.

          User training is important - though often at least as much for those who should know better, such as developers and IT staff. I see still see lots of developers running everything, including browsers and email clients, with elevated permissions. (It doesn't help that IDEs often have to run with elevated permissions in order to install rebuilt components. IDEs are a security nightmare.)

          But humans are very bad at constant vigilance. We need to configure end-user systems for security.

      2. Anonymous Coward
        Anonymous Coward

        Re: Doris in HR

        Sounds more like it's time to get Doris a different job and "downsize" HR.

        Really, most of HR is just there to screw over the employees, and the rest is outsourced anyway. It's not like anyone would notice....

  6. Anonymous Coward
    Anonymous Coward

    It is not "ITs fault"

    If your ****ing staff are too stupid to think twice before opening a CLEARLY dodgy email.

    (Anonymous because we all think it, but don't want it on any record)

    1. Michael Wojcik Silver badge

      Re: It is not "ITs fault"

      No, we don't all think it. IT have tried blaming users for half a century. It hasn't helped.

  7. Mike 137 Bronze badge

    " It's Doris in HR clicking an email link"

    On the other hand, it's so easy to blame Doris - the person least likely to be able to distinguish the malicious material from among the daily cascade of messages.

    I'm most interested in two things:

    [1] how did the malicious content arrive at the desktop, instead of being filtered out before it got there?

    [2] the almost universal ease with which malicious code launched from one desktop manages to infiltrate entire corporate networks.

    Maybe we should not blame Doris or even "IT" - ideally not blame anyone, but instead reconsider the robustness of our infrastructures. The ideal is intrinsic resilience against the unexpected so these (commonly simplistic) attack vectors merely bounce off harmlessly. In my professional experience, the fundamental failing is not usually a technological one, it's lack of effective management oversight. This leads to gross mismatch between assumptions and realities, as was so evident at Equifax, and the result is inevitably an unwitting soft target.

  8. Blade918rr

    Maybe would be of more value if the percentage of incidents that resulted in high business loss was presented. Its all about risk, does a hack equal a large loss to business or just and acceptable level of risk attributed to working in a highly connected world ?

    As said previously, if you have limited visibility into abnormal activity you are unlikely to see a breach. I suspect in many instances, organised crime and nation states have better visibility of an organisations posture than a the C level of the org.

  9. Anonymous Coward
    Anonymous Coward

    I used to work at an intra-governmental organisation that had appallingly lax security on their office network (e.g. every device on the office network had a registered IP address, firewalls configured any to any in both directions and out of date AV software). [I was only asked to help the office IT folk and it took years for them to adopt recommendations for improved policies and implementation] Users often used file sharing software and I discovered that one of them had downloaded and installed some cracked software. The cracked software contained a trojan that allowed hackers to run some exploits from her PC. They scanned all of the organisations networks and several other organisations in the same country, finding numerous admin passwords for servers at our organisation and elsewhere. The results of their activities were zipped and dropped on a server in the middle east. The head of IT was on holiday and didn't bother to read my urgent message until two months later. He quietly had the admin passwords changed and reported nothing to senior management.

    I would bet that similar suppression of such breaches has occurred in many organisations.

  10. Roundtuit

    Breach is such a loaded term

    It's almost as bad as "cyber". Both are bandied about like, and worth as much as, election promises.

    Good on El Reg for hitting the nail on the head though: "Details of exactly what constituted a "breach" were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services."

    And for those of us genuinely trying to hold back the tide in infosec, their rampant, selfsh, crass commercialism is doing us a disservice. Marketing tripe dressed up as "surveys" is a modern-day scourge.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019