Chances are that your organization has spent a large amount of money on cybersecurity technology. Products such as firewalls, intrusion detection and prevention, anti-virus, virtual private networks, etc. are all part of most organizations’ tools designed to detect and prevent security breaches. In addition, the quality of these security products is incredibly advanced and proving successful in the fight against cyber attacks. So is it safe to assume that the organizations that are now experiencing breaches are generally failing because they scrimped on their security budgets and therefore left their employees more vulnerable? Unfortunately, the answer is no. In fact, many of the large corporations that have experienced massive breaches had security budgets of over one million dollars, had deployed the best security money could buy, and in some cases, had even had dedicated teams actively monitoring their entire networks looking for even the slightest anomalies. Yet, breaches still occurred.
So what happened? Well it turns out that sometimes all this added security has had the opposite effect on the overall security of the organization. This is because as organizations have implemented more and more security layers, the employees themselves have become less concerned about their own security practices. As strange as that may seem, the reality is that when organizations are known to be implementing strong cybersecurity solutions, the employees tend to let those solutions protect the organization.
For example, when organizations implement strong antivirus/antimalware detection solutions on employees’ desktops, the assumption by the employee is that these solutions are preventing their computers from being infected. Therefore, when they browse on the Internet, click links in emails, or open attachments supposedly sent from co-workers, the employees’ concerns of becoming infected by malicious software is minimal since the assumption is that the security solutions implemented will obviously protect their computers.
What many people don’t realize is that while it is good, security technology is not perfect. In fact, only 51% of new viruses introduced on the Internet are picked by antivirus solutions on day 1. After a new virus has been attacking the Internet for two weeks that number creeps up to only 61%. That means with each new virus working its way around the Internet, the technology on your computer designed to detect and prevent it only has a 61% chance of success. Now, while that might seem like a decent chance of stopping the malware, it’s important to keep in mind that in 2015, over one million new malware threats were released every single day. So, you have on any given day, approximately 500,000 variants of malware that go undetected by the security software on your computer designed to keep it safe.
In addition, many organizations have implemented solutions that help protect web browsing by allowing organizations to choose the types of content that are safe for users to access. The problem is that even websites deemed safe have been found to spread malware. In 2015, it was discovered that Yahoo ads were being used to spread malware to vulnerable computers while they browsed to “legitimate” websites. This means that even with strict security policies in place that limit users to only the most well-known and legitimate websites, a user could have still been infected via a simple online ad from Yahoo. But again, if the user browsing on the Internet is under the impression that he or she is secure because the organization is keeping their web access secure, he or she is less likely to worry about the sites visited.
The same holds true with email when organizations provide filtering and security notifications. For example, many organizations implement rigorous filtering on their inbound email to reduce users from receiving potentially malicious email. Often emails will contain a header message indicating if the email was sent from an employee internally or if it was received from someone on the Internet. By implementing these additional layers of security, the recipient can feel more confident about emails received because they have gone through security screening. Again, the problem is that while filters and email sender notifications help, they offer no real guarantees and often give the recipient a false sense of trust. For example, if you receive an email that comes from a co-worker, you are already more likely to trust it. If that email has also been flagged to confirm it truly was sent internally, that adds even more credibility that it is legitimate. So if that email includes a link or attachment, because it was from a trusted co-worker and flagged to show it really was sent from an internal user, you are more likely to click the included link or open the attachment. Had the email not contained the flag showing it was truly sent from an internal user or had it not been sent from a co-worker, you may have been more suspicious.
The problem is that criminals are using this level of trust against organizations. They are sending emails that appear to be from co-workers and in some cases, using already compromised computers in an organization to send more emails to other employees. Those are now are flagged as sent from internal users allowing the cybercriminals to compromise more systems on the organization’s network.
So what does all this mean? Obviously cybersecurity solutions are extremely important to the security of any company. However, you should understand that they are not the total solution. At best, they can slow intruders down and make it more difficult for would-be attackers to gain access. That said, ultimately, even the best security in the world is not a guarantee. In fact, regardless of how good you might think the security is implemented at your organization, you are still at risk. Every time you connect to the Internet via your computer, tablet, or mobile device, potential threats will present themselves and it is up to you to keep your guard up. Never assume that the security technology will protect you. Sure, it may be implemented, but it is nothing more than a backstop that hopefully might catch something you missed. The reality is that you are on the front line of defense and it’s far better for you to avoid and/or detect a malicious situation than to hope that automated software will do it for you.