Is it too late? Do we just give up? Are the attackers too far ahead? These are all questions raised by Steve Usher, senior security analyst, Brookcourt Solutions. "The answer is no," he says. "As with many of the big questions in cyber security, there is no simple answer to this. Why data breaches keep happening has no single answer; often, but not always, the issue is either human error or just bad operational security.

"While these are by far the most common reasons for a data breach, there is the small category of data breaches that are the targeted data breach, usually carried out by groups with the time and skill to infiltrate networks and steal the data unseen. These are usually, but not always, APT [Advanced Persistent Threat] groups."

With the exponential growth in not only the amount of data that is accessible from the internet, but also the use of the cloud to store that data, the opportunities for data breaches have become even more numerous. "This, in turn, leads to a larger requirement for cyber security staff, in an already straining industry, and those staff need not only cloud skills, but security-focused cloud skills and experience. Considering the speed at which the cloud is being adopted, there is a serious mismatch in the requirements for cloud security staff and the availability of those staff. This then leads to an exponentially expanding attack surface and a lack of experienced staff to ensure that the best operational security possible is enforced. "

Is there a way back? Simply put, "yes", he concludes. "The way back is for any company that has data that is valuable to either the company or attackers to take stock of that data, to look at the configurations that are linked to the access of that data, the protections in place for that data and the potential cost of a breach of that data and act. If the appropriate staff are unavailable, a managed service becomes a more cost-effective option; then the focus should be on skilling up and training staff to properly manage and consider data security."

NOT ENOUGH SECURITY ANALYSTS
Ruvi Kitov, CEO of Tufin, sees several significant challenges in cyber protection today. "First, there's a severe staff shortage of qualified technical resources - there are simply not enough security analysts and many organisations are struggling to retain talent or ramp it up to full staffing. Secondly, cyberattacks are asymmetric in nature - an attacker can patiently try to breach thousands of organisations [or focus on particular targets] for months and wait for a single mistake, in order to gain access. For security teams, closing every possible vulnerability is mission impossible and there's always some attack surface exposed. In addition, the human element is frequently the weakest link in the chain and can cause critical misconfigurations through human error; or be tricked into clicking on phishing links."

Antti Tuomi, F-Secure: 100% bulletproof defences are impossible, but resisting attacks is definitely not pointless.

These challenges apply to all attackers and organisations. "But there's another class of attackers," adds Kitov - "nation states, whose offensive capabilities are so advanced, from zero day attacks to very sophisticated custom-written malware, that most enterprises would not be able to defend against them, even with state-of-the-art security products and processes. So, the challenge today is not whether you will be breached - it's how to minimise the exposure and impact."

ODDS STACKED AGAINST DEFENDERS
"The simple answer here is that, while defenders have to succeed every time, attackers only need to succeed once," states Antti Tuomi, principal security consultant at F-Secure. "When it comes to industries that are traditionally not IT oriented, many companies, of course, try to do their best, but are not always sufficiently equipped to take into account, and proactively protect, against all attacks. The odds are stacked against the defenders when the company is large enough or significant enough to be targeted by motivated attackers with ample skills and resources."

That being said, 100% bulletproof defences are impossible, but resisting attacks is definitely not pointless, he adds. "Without the effort put into defence so far, we would be seeing far more breaches of a far bigger scale and severity. The mindset of shifting from not only securing the perimeter, but also preparing for a potentially inevitable breach by the means of detection and response, and hardening internal assets as well, significantly helps control the scope of a breach.

Ruvi Kitov, Tufin: many organisations are struggling to retain talent or ramp it up to full staffing.

"I would argue that the defensive side now has better tools than ever before to help stay protected and make attackers' lives as hard as possible - resistance is definitely not futile."

NOT BEYOND FIXING
According to Carolyn Crandall, chief security advocate at Attivo Networks: "No matter how hard organisations try to defend themselves from adversaries, data breaches happen and attackers still succeed." Amongst more recent attacks to make the news, she points to the following:

• Defence officials inadvertently revealed secret plans for a suite of enhanced weapons, potentially for use by Britain's Special Forces
• BrewDog exposes details of more than 200,000 'Equity for Punks' shareholders, plus those of many more customers
• A cyber-attack costs the mining equipment supplier Weir Group £40 million in profits this year.

Despite the sobering headlines, it's not beyond fixing, Crandall argues. "Organisations must look at data differently and start protecting what they don't normally view as sensitive or critical, like enterprise identities. CISA just released their draft 'Zero Trust Maturity Model,' where Identity is the first of five pillars. Attackers target Active Directory and other identity services in almost every attack and securing AD is one of the best ways to start the Zero Trust journey. Government guidance that incorporates more information on identity services can also help minimise the success of these attacks."

THE ESSENTIALS
Gartner also stated that 'Identity-First Security' is one of its Top Security and Risk Management Trends for 2021, yet many CISOs still only focus on multi-factor authentication (MFA) as a solution to their identity security challenges, Crandall also comments.

"Multi-factor authentication (MFA) and single sign-on (SSO) are essential and organisations should implement them. However, they are not the end all and be all for identity security. MFA and SSO can help stop attackers initially from getting on an endpoint, but that only works for interactive logins and a determined adversary will eventually break in."

The threat to identities is genuine and, given the damages occurring with their misuse, every CISO should prioritise it, she continues. "According to the 2021 Verizon Data Breach Investigations Report, credential data now factor into 61% of all breaches.

"More broadly, the 'human element' factors in to 85% of breaches, while phishing is present in 36% of them. These stats highlight that attackers consistently attempt to access valid credentials and use them to move throughout networks undetected."