You can’t go a week without seeing a story about a data breach or ransomware hitting organizations. These breaches can be very costly, but they still continue to show up. Are the good guys not winning the cybersecurity war? Organizations invest millions of dollars in security products and services, but they keep getting breached.

We definitely have a skills gap problem making it almost impossible to hire enough qualified people to staff a good security program. We see a large migration towards SaaS (Security as a Service) offerings because organizations cannot successfully use the products they purchased and get the needed value from them, so this is helping in that regard, but they are still being breached.

When you look into many of these breaches, the root cause boils down to an employee or contractor who clicked a link where malicious code was downloaded and executed on the system. This can happen via email, messaging or other delivery mechanisms where the attacker knows enough to entice the target to click the link. Employee security training is a huge business, but a lot of employees disregard it or it is so basic that it is almost useless. Most (but not all) of us know the Nigerian prince is not going to send us millions of dollars to help get it out of the country. That is a typical shotgun approach to phishing where the cost is very low and just a fraction of a percentage success rate makes it worthwhile.

The newer attacks, like spear phishing, are much better at quickly harvesting information about you, and people like you to develop a more enticing link for you to click. Way too often, I hear people talk about these attacks and say “It does not affect me. I am not important enough (Read more...)