Why Can’t Organizations Be 100% Secure?

Breaches & LeaksInformation Security

Become a Media Sonar Insider

It’s no secret that cyber attacks have consistently risen over the last decade. As a result, organizations are putting more resources towards security than ever before. Canalys states global cybersecurity spending will increase by 13.2% in 2023. While it’s critical for organizations to invest in strengthening their security posture, even with an unlimited security budget, the most sophisticated technology, and highly skilled security talent – cyber attacks can and will occur.

As more and more organizations adopt the idea that there is no such thing as being 100% secure, it has shifted how they view security. Instead of trying to stop every attack, many companies aim to find a balance between preventative and reactive measures. The focus is now on demonstrating they are taking steps to reduce risks to an acceptable level and mitigate the impacts if they experience an attack. 

In this article, we explore the key reasons why an organization cannot be 100% secure and how to measure a security program’s success beyond the absence of attacks.

The Media Sonar research team asked 1570 security professionals the biggest reason why an organization cannot be 100% secure, and 88% said it’s because of human error.

1. Human Error

With 82% of all data breaches resulting from human error, it’s clear that humans are an organization’s greatest asset and most significant vulnerability. There are several reasons for this. Cognitive biases, ego, internal and external influences, a belief that technology will keep them safe, apathy, thinking that it is not their job to worry about it, being too busy to care… and the list continues. Whether malicious (intentional) or negligent (unintentional), understanding human behavior is vital to the overall security posture.

The Media Sonar research team asked 860 security professionals why humans are an organization’s most significant vulnerability. 67% attribute it to a lack of awareness. 

– Lack of awareness/training

Over the last several years, the importance of security has been front and center for many organizations, and cybersecurity training and resources are more accessible than ever before. Despite this, human nature takes over, and people still fall for complex schemes. Even if an organization offers daily security training and humans follow every policy and process available, people will still fall for things. Yes, the obviously fake ones will fall away. But you hit a point where you have done everything you possibly can. Tomorrow, someone will open ransomware in a way that even the most experienced security professionals haven’t even thought of yet.

– Usability trumps security

For many organizations, security comes at the expense of usability. The more security controls imposed, the more likely users will go around the controls to accomplish their job. You can 100% secure your systems by powering them down so threat actors or error-prone humans cannot reach them. Of course, these 100% secure systems aren’t very usable. Organizations must find a balance between security and usability to minimize friction in the user’s workflow and avoid people working around the security measures they have in place.

– Curiosity/Click on Everything 

It is human nature to be curious. It is what we do as humans and how we are wired.  When it comes to security, both of these things work against us. For example, if you send someone a spreadsheet with executive salaries, most people’s brains would tell them to open it. A human’s first instinct is not to wonder if someone is out to get them. Threat actors are extremely aware of this and will continue to use a human’s psychology for their gain. 

– Too Trusting in Security Technology

Several companies have employees who know the importance of security and the risks they pose as users. However, many people are too trusting in security technology and rely heavily on it to manage risks. While technology can help protect an organization from external risks to some degree, it will never be possible to eradicate risks with technology. Security technology is there to reduce the ability for bad things to happen and transparently reduce humans’ ability to be gullible. Users need to recognize that they still play a key role in maintaining security, regardless of the sophistication of their tech stack.

2. Sophisticated threat actors. 

Another key reason organizations will never be 100% secure is that threat actors have vastly expanded in sophistication over the last several years. Threat actors have the budget, technology, motivation, and swarm-effect advantage over a single company’s security team. An organization can employ many strategies but must accept that it will not always win. You can win many victories, but threat actors only need to beat you once to achieve their objective.

3. Third-party risks are nearly impossible to manage.   

Third parties simply extend your network and add even more humans that may or may not have been trained as you would like. Some companies have hundreds of thousands of suppliers. How do you manage risk at that scale? Most third-party risk management strategies involve sending a questionnaire to these companies, waiting for their response, and following up. When you send out thousands of these, how long will it take your 2-3 person team to go through them all?

Some companies focus on their top 5-10 largest third parties with the most access and decide to take the risk with their long list of other suppliers. While this helps to mitigate some of the risks, it doesn’t account for the fact that it’s often the small and medium-sized companies that are potentially the highest risks. These companies often do not have any way of measurably doing security.

Measuring security effectiveness.  

Because there is no such thing as being 100% secure, relying on the lack of cyber attacks as a key measurement of an organization’s security posture doesn’t make sense. 

Measuring the effectiveness of a security program is very much dependent on the organization’s maturity. Young companies with immature security programs will focus more on coverage metrics such as how many workstations have anti-malware on them, how many employees have security training on an ongoing basis, or how many users have weekly/quarterly phishing exercises.  If an organization has poor coverage, everything else doesn’t matter. If they have excellent coverage, they now know where they stand and can go from there. 

As an organization gets more mature, the metrics become more business related. Mature organizations might look at things such as mean time to detect (MTTD), mean time to respond (MTTR), dwell time, or the security program’s cost compared to the impact. For example, if they were to spend $25 million on security, how effective was that? If they were to experience an incident that cost $1 million, would spending $1 million more on security have stopped that attack? 

Measuring security effectiveness is challenging because you cannot measure everything, and there isn’t always an answer to things you want to measure. Organizations should decide what to measure based on the current maturity of their security program, and as they mature, their metrics can mature and adapt with them. What you measure and present as your organization’s security metrics should tell a story, both in that moment and over time.

Security is a never-ending journey.

  At the end of the day, it’s up to each organization to decide how much risk they are willing to accept based on the industry, the sensitivity of the information involved, and the expectations that the owner of the data has. Security isn’t absolute – it’s a never-ending journey of reducing risk and never a destination of being secure. Organizations should focus on where their biggest vulnerabilities exist, employ preventative and reactive measures to manage those risks, and consistently evaluate their security program to identify areas of improvement.

BOGO Digital Risk Assessments

From now until April 30, 2023, buy your first Digital Risk Assessment and get the second free. Plus, our partners that sell an additional four will receive a 10% rebate.

Leverage Our Expertise

Digital Risk Assessments for Executives, Brands & Supply Chains

More Content

Follow Us On LinkedIn