How to
Jonathan Crowe
Dec 2015

The 9th Day Breach-mas: 9 Lessons Learned

Photo by Source


Editor’s note: This is the ninth post in our “12 Days of Breach-mas” series — every day we’re sharing new tips and insights to help keep you more secure. For a recap of what you may have missed, see our summary post here. 

Ashley Madison. Anthem. OPM. VTech. Sadly, 2015 was another big year for big data breaches, with over 176 million personal records exposed (and counting). On a positive note, the headlines and media coverage these mega breaches have generated has pushed cybersecurity into the national spotlight as a major issue in dire need of addressing. But beyond the initial outrage sparked by each subsequent breach, all this extra attention has unfortunately resulted in very little productive conversation in terms of how best to actually move forward.

When it comes to data breaches, we're big on outrage but short on answers.

In the aftermath of any major breach there's predictably much hand-wringing and finger-pointing, but each time we're inevitably deprived of the full story as to what actually happened, along with any practical lessons as to what we can all do differently to avoid similar disasters in the future. That's because as soon as the first wave of news reports are published and the initial shock surrounding a breach dies down, it's simply on to cover and read about the next one. The wait is never long. 

As a result, it's very easy to get swept along without learning any valuable lessons that can help us all be more secure. Here are nine high-level takeaways from some of the biggest mistakes we saw again and again in 2015:

9 Hard Lessons Learned from Cybersecurity Mistakes

  1. “More” is not a strategy. Gartner estimates companies will spend over $100 billion on IT security in 2018. Clearly, the prevailing attitude is we need to be doing (and spending) more, yet one look at the list of large organizations that suffered breaches this year should be enough to help us realize "more" doesn't inherently equate with "safe". Budget and resources are only as good as the strategy in place to deploy them.  
  2. The biggest threat isn't an attacker, it's complacency. Improving security can require significant organizational change, and change requires buy-in. The most important thing you can do is convince leadership that security is important and worth seriously investing in. Otherwise, you run the risk of settling for shoddy and/or outdated security practices that can easily be exploited (see Troy Hunt's breakdown of the VTech hack for a devestating example).
  3. Size does matter (but not in the way you think). Despite the focus on big company data breaches in the headlines, small businesses have just as much to worry about. In fact, 60% of attacks were targeted toward small- to medium-sized businesses in 2014. While they typically have fewer resources to utilize against threats, small businesses also have several natural advantages they can leverage. See what they are here.
  4. There’s power in simplicity. “Big security” isn’t always better security. Expanding your coverage has obvious benefits in terms of reducing risk, but it can also introduce complexity, cost, and noise. The key is to determine your goals and risk tolerance and invest accordingly with an eye toward keeping things simple and streamlined as long as you can.
  5. Good security comes in layers. When evaluating solutions, it's important to understand not to get too focused on individual solutions without taking into account how they can be paired up with additional technology and complimentary approaches to your boost overall security posture. 
  6. Improving security isn’t a one-and-done activity. It requires an ongoing, active, and iterative approach.
  7. Security isn’t just one person’s responsibility. To be truly effective, you need to develop a culture of security that transforms it into a company-wide effort. That said, you do need someone with expertise actively owning and managing security, even if you do plan on outsourcing. Spending money on solutions is a waste if no one knows how to leverage them properly (or, in the case of outsourcing, hold them accountable).
  8. Outsourcing can make sense. But only if you have a clearly-defined goal to achieve or problem to solve, and only if you partner with a provider who can deliver on your specific needs.
  9. Leadership cares about the business, not security. That's why the key to a productive buy-in conversation is to focus on how security can improve the business. Get more tips on how to "speak executive" and get approval for your security budget here.

Stay tuned for more actionable cybersecurity tips and advice during our “12 Days of Breach-mas” by subscribing to our blog below.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.