As a father, I’m pretty familiar with most of the classic children’s stories: Green Eggs and Ham, Goodnight Moon, Cloudy with a Chance of Meatballs, The Very Hungry Caterpillar, etc. Another one of particular note is Chicken Little.
The plot is about a chicken who believes the sky is falling when an acorn drops on his head. Chicken Little wants to warn the king and tells other animals along his journey that the world is coming to an end. While there are many variations to the ending, most stories conclude with a fox inviting all the animals into his den where he eats them.
So, what does the story of Chicken Little have to do with security? Well, SolarWinds recently released the findings of a new security survey that highlights significant improvements in IT security preparedness and effectiveness, including steps the most successful IT departments have taken to improve their security posture, but also demonstrates that the threat and consequences of security breaches remain.
As I thought about the findings of the survey and the story of Chicken Little, three important lessons come to mind:
Lesson #1: For many companies, the sky is not falling.
With a 24-hour news cycle, we’re constantly bombarded about the latest data breach, malware infection, or email phishing scam. We aren’t even half way through 2016, and there have already been some big security news stories that have dominated headlines — including the Panama Papers, Verizon Enterprise Customer Data, and Methodist Hospital — and there will certainly be many more to come.
Let’s put this into some perspective, though — there are roughly 6 million businesses in the Unites States and as Chicken Little discovered, a single acorn falling does not mean the world is coming to an end. Take a look at some of the findings from the survey:
- More than half (55%) of IT professionals surveyed said their organizations did not experience any security breaches in 2015, compared to 29% who did.
- Fifty percent said their organizations are less vulnerable now than they were a year ago, compared to 12% who said they are more vulnerable. Furthermore:
- Nearly one-third (30%) said the number of IT security incidents their organizations experienced decreased in 2015 vs. one-fifth (20%) who said they increased.
- More than one-third (36%) said their time to respond to a threat decreased in 2015 vs. roughly a quarter (28%) who said it increased.
- Approximately half or more said it typically takes mere minutes for their organizations to detect the following threats:
- SQL injection attacks (47%)
- Exploitation of known vulnerabilities (50%)
- Misuse/abuse of credentials (47%)
- Rogue network device (52%)
- Security policy violations (47%)
Now, I’m sure that many of you may view these statistics with some skepticism. Yes, I realize that some of these companies may have been breached in 2015, but don’t know it yet. That said, I believe there are a lot of companies that are focusing on the right things and as a result are preventing major breaches — the IT professionals manning these organizations’ IT departments are the unsung heroes of IT security that won’t get any national news recognition because they prevented a bunch of attacks.
Lesson #2: Lead, don’t follow — make your own decisions based on the facts.
As Chicken Little sets off on his journey to warn the king, he tells his story to many animals along the way. Henny Penny, Cocky Locky, Ducky Lucky, and others begin repeating the story and create a sense of panic among the animals as they begin to fear for their lives.
While the general theme of “it’s not a matter of if, but when” has emerged over the past few years, companies can choose to lead and be proactive with respect to their security practices. There are many organizations whose security posture improved over the past year that found success by implementing a handful of vital security technologies and best practices. The survey findings include:
- Among those who said their organizations are now less vulnerable than they were a year ago, the top five reasons reported were:
- Adoption of intrusion detection and prevention systems
- Introduction or expanded the use of data encryption
- Improved patch management
- Implementation of log analysis, such as security information and event management (SIEM) tools
- Improved or increased security training for company personnel
- Endpoint security software topped the list of the most important technologies or practices for ensuring IT security, with 83% identifying it as critical or very important, followed by patch management software (75%) and identity and access management tools (71%) to round out the top three.
- More than half also identified configuration management software (60%) and SIEM software (54%) as critical or very important to ensuring IT security.
Lesson #3: The threat is real, but not always obvious.
Not all fairy tales have a happy ending. As Chicken Little and his friends found out the hard way, the fox said that he would help them find the king, but actually led them into his den and ate them all. Despite the positive developments the survey uncovered, IT departments must still be vigilant against the threat and consequences of security breaches. Keep in mind that the survey also found:
- Of those whose organizations experienced a security breach in 2015, 52% said the breaches were of medium to major severity.
- Nearly three-quarters (72%) of the organizations breached in 2015 store customer data, with more than one-third (36%) of those storing data on at least 100,000 customers.
- While just a quarter (24%) expect their organizations to suffer from a security breach in 2016, three-fourths (75%) of them store customer data, including 45% that store customer social security numbers.
- The increasing sophistication of attacks is the number one factor most commonly thought to make an organization more vulnerable (28%).
In summary: Don’t panic, but don’t let your guard down, either.
Today, with the constant flow of information made possible through social media and the internet, the voice of the Chicken Little has been increased ten-fold. And yes, there are times when it may seem like acorns are raining from the sky. But don’t forget that there are many companies where the sky isn’t falling due to the hard work and dedication of IT security professionals. If yours is one of these, great! But don’t forget that the threat is real and to never let your guard down. If you’re on the other side of the fence, look to these survey results highlighting what those who are seeing improvements are doing and follow their lead.
And if you’re interested in hearing more about the survey results, check out this webinar at http://bit.ly/1T8IBhw.