It’s almost a cliche to talk about how often breaches occur—in 2015 alone, we’ve seen high-profile breaches from everyone from Anthem, the popular work collaboration tool Slack, and even the federal government thanks to the recent US Office of Personnel Management attack. While many organizations are implementing security solutions to avoid becoming the next headline, there’s a fundamental math problem with the money they are investing: While organizations may think their ROI is pretty good, the ROI for criminals is even better, giving criminals more incentive to work their hardest to break into an enterprise network.
IT organizations can spend millions trying to protect the network perimeter from attackers, yet attackers will still breach defenses, leaving companies vulnerable to data loss or worse. And attackers will keep trying, because the success rate of attacks is high. Hackers might only have to spend a little bit of money and a week or two to worm their way inside a Fortune 500 network. One hacker can write an exploit that will open the digital doors of millions of corporate systems, spilling out data and resources of untold value. The exploits are easily passed around in the underground so the threats to corporations are exponential. And the attacks can be as easy as sending a carefully crafted phishing email to a top-level executive; the effort for attackers is minimal and the payback is huge. Meanwhile, IT departments are spending more and more money trying to keep hackers out, with minimal success. Which brings me to an uncomfortable point:
Clearly, the economics of security are not in the enterprise’s favor. Let’s look at the numbers: Organizations will spend a staggering $77 billion on security in 2015, with growth forecasted at 8 percent. In addition, trying to protect your network edge from incentivized attackers takes a toll from the standpoints of money and time. Businesses spend an average of $1.27 million annually responding to false alerts, and they waste 395 people-hours each week thanks to faulty intelligence and alerts.
You’d think that with this kind of money being spent on security, breaches would be just about non-existent. However, this isn’t the case: Breaches have actually gone up dramatically in the past three years, and more than 97 percent of enterprises have been breached. At a per-breach average cost of $6.5 million in the US, even just a few breaches add up and one strategic one can put a company out of business.
To change these lopsided economics so they shift the balance in favor of effective security for businesses, companies need to find a way to make it more difficult and costly for attackers to try to breach defenses – reducing the potential attack surface so it’s tougher to break in. When you make it harder for attackers to gain entry, they tend to move on to easier targets. It’s the “outrun the lambs, not the wolves” approach. You need to narrow your focus on what to protect and when, instead of trying to shield your entire network from attack. How do you do that?
Changing the Economics of Security Starts and Ends at the Endpoint
In my opinion, the answer rests in thwarting threats to the endpoint. Why? The endpoint poses far and away the greatest risks to a business. More than 70% of threats come into businesses this way, thanks to the combined power of the mobile and cloud revolutions. Now that employees spend a good part of the day working from home, hotels and cafes, corporate data no longer remains safely within the corporate network. The network perimeter has evaporated, causing enterprises to lose control of where data is hosted and where it is accessed, leaving them exposed to bad actors.
The endpoint problem is compounded by the fact that a single bug in the tens of millions of lines of code in an operating system or application – combined with an unguarded click by an unsuspecting employee – can put an enterprise at risk.
Halting attacks at endpoints reduces the attack surface and deters criminals. As it eliminates opportunities for attack, it helps enterprises avoid potentially catastrophic losses. The economic balance therefore shifts in favor of the enterprise – and attackers lose incentive to make your enterprise the focus of their exploits.
While data breaches aren’t going away anytime soon, every company has a choice of how they prepare for them. By focusing on the endpoint, businesses can better secure themselves with less cost and less time expended by the IT team. And what about those lambs and wolves at your doorstep? They’ll eventually get tired of knocking and move down the line to companies far less equipped to combat their advances.
