If your org hasn't had a security incident in the last year: Good for you, you're in the minority

Not strictly true

If your org hasn't had a security incident in the last year, it just means that you haven't spotted it yet.

The (almost) Inevitable

Problem with this is that no-one counts or publicises the failed hacking attempts (except for the security companies) and no-one gets a medal for keeping hackers out.

The attack surface is so great these days that it is almost inevitable that, over time, an organisation gets hacked. And that grabs the headlines.

Liked the caption under the photo: "A proud CIO boasts that his org hasn't been hacked". What a way to throw down the gauntlet!

AC, well, because...

Doris in HR

"...…….. Keep training your staff, folks."

No matter how hard you try to train Doris she will still click on those links. Doris constantly receives unsolicited emails from people who want to work for her firm. It's her job to open and read them. If they contain a link to some information that the candidate wants to highlight to show why they are right for the job she has to make the decision between doing her job and doing what the IT Security trainer told her. She clicks it every time even if it has all the classic hallmarks of a badly orchestrated phishing attack. If you disable links in her email client she will discover a dozen different ways to get to the place the link points.

It is not "ITs fault"

If your ****ing staff are too stupid to think twice before opening a CLEARLY dodgy email.

(Anonymous because we all think it, but don't want it on any record)

" It's Doris in HR clicking an email link"

On the other hand, it's so easy to blame Doris - the person least likely to be able to distinguish the malicious material from among the daily cascade of messages.

I'm most interested in two things:

[1] how did the malicious content arrive at the desktop, instead of being filtered out before it got there?

[2] the almost universal ease with which malicious code launched from one desktop manages to infiltrate entire corporate networks.

Maybe we should not blame Doris or even "IT" - ideally not blame anyone, but instead reconsider the robustness of our infrastructures. The ideal is intrinsic resilience against the unexpected so these (commonly simplistic) attack vectors merely bounce off harmlessly. In my professional experience, the fundamental failing is not usually a technological one, it's lack of effective management oversight. This leads to gross mismatch between assumptions and realities, as was so evident at Equifax, and the result is inevitably an unwitting soft target.

Maybe would be of more value if the percentage of incidents that resulted in high business loss was presented. Its all about risk, does a hack equal a large loss to business or just and acceptable level of risk attributed to working in a highly connected world ?

As said previously, if you have limited visibility into abnormal activity you are unlikely to see a breach. I suspect in many instances, organised crime and nation states have better visibility of an organisations posture than a the C level of the org.

I used to work at an intra-governmental organisation that had appallingly lax security on their office network (e.g. every device on the office network had a registered IP address, firewalls configured any to any in both directions and out of date AV software). [I was only asked to help the office IT folk and it took years for them to adopt recommendations for improved policies and implementation] Users often used file sharing software and I discovered that one of them had downloaded and installed some cracked software. The cracked software contained a trojan that allowed hackers to run some exploits from her PC. They scanned all of the organisations networks and several other organisations in the same country, finding numerous admin passwords for servers at our organisation and elsewhere. The results of their activities were zipped and dropped on a server in the middle east. The head of IT was on holiday and didn't bother to read my urgent message until two months later. He quietly had the admin passwords changed and reported nothing to senior management.

I would bet that similar suppression of such breaches has occurred in many organisations.

Breach is such a loaded term

It's almost as bad as "cyber". Both are bandied about like, and worth as much as, election promises.

Good on El Reg for hitting the nail on the head though: "Details of exactly what constituted a "breach" were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services."

And for those of us genuinely trying to hold back the tide in infosec, their rampant, selfsh, crass commercialism is doing us a disservice. Marketing tripe dressed up as "surveys" is a modern-day scourge.