6 reasons why improving security is so hard

The best practices for enterprise security are well known. So why are so few companies implementing them?

Last year, when Target's CEO and CIO resigned in the wake of one of the largest thefts of payment card info in history, a seminal moment seemed to have arrived: At last, C-suites everywhere had been put on notice. The consequences of not taking security seriously were abundantly clear.

Since then, unabated, the parade of household names beset by data breaches has rolled on: Michaels, PF Chang's, Community Health Systems, UPS, Dairy QueenGoodwill, Home Depot, JP Morgan Chase, Kmart, Staples, and most notoriously Sony, where the consequences -- not only for Sony Pictures exec Amy Pascal, but for the storied brand itself -- were catastrophic.

In the face of such carnage, how is it possible that nothing seems to change? As InfoWorld's Roger Grimes proclaims again and again, the best practices to prevent successful attacks are almost painfully obvious. Prior to the 2014 attack, Sony's defenses already had a reputation for being thin. Roger used the Sony breach as occasion to remind us that "the overall state of computer security at most companies is pathetic."

Security awareness has climbed to extraordinary heights as a result of these breaches, yet one of the safest predictions you can make is that we'll see more high-profile disasters this year. Given the stakes, how could this be? Here's my speculation.

1. Playing the odds at the top

Security efforts cost money and dent productivity by adding extra steps to normal operations. No captain of industry earns accolades by reducing risk, but short-term profitability pays handsomely, and chief execs tend to change jobs frequently. What are the odds a high-profile breach will occur within a few years' tenure? Higher than a few years ago, perhaps, but as Arijit Chatterjee and Donald Hambrick observed in their landmark 2007 Penn State study, "It's All About Me," CEOs often display narcissistic tendencies, and narcissists embrace risk.

2. Listening to vendors

Security vendors are in the business of hyping the latest threats (to the point of creating logos for them) and selling magic bullets to combat them. Technically, these threats are real, but represent a tiny risk relative to such obvious attack vectors as exploiting unpatched systems. Believe the hype and you'll divert resources away from where they're needed most.

3. Caving to operational pushback

Let's say management gets religion and decides to eliminate the No. 1 risk in its organization, client-side Java. But then, uh-oh, several LoB managers pipe up to object that certain critical applications depend on client-side Java. In fact, a couple of crucial apps require older Java versions that are utterly exploitable. Does the company really want to bring operations to its knees while those apps are re-created using some safer technology? Or should that happen, say, during the big technology refresh planned for next year?

4. Failing to explain the obvious

Admins assume only an idiot would click on a random file attachment, follow a link to a malware-infested site, or react to a fake virus alert by installing fake antivirus software that's actually malware. But the fact is phishing emails have become very, very good, and if you've never seen what happens when your real antimalware software detects a Trojan, how do you know what's fake and what isn't? Users need structured security training, along with prompt warnings when phishing exploits circulate. Training needn't take long but must be ongoing.

5. Assuming invulnerability

Firewalls, intrusion detection systems, security event monitoring, network monitoring, two-factor authentication, identity management … your company has it all. Nobody is getting in! Yet the sad fact is if you have something to steal, you've already been hacked. Wrapping one's head around that idea creates the proper mind-set -- to encrypt critical information at rest, to avoid enabling permanent admin privileges, and to implement other measures that minimize damage after bad guys cross the perimeter.

6. Succumbing to fatalism

I often think that many enterprises know how horrific the problem is. But what can they do? The professionals who launch APTs (advanced persistent threats) are almost unstoppable. The financial industry sees the many billions lost to fraud and cyber theft each year as part of the cost of doing businesses. We're all going through the motions. The bad guys have won.

There's an element of truth to this last point, since exploits are always one step ahead of defenses. Yes, attacks are inevitable -- but that's no excuse for laxity when it comes to best practices, which vastly reduce the attack surface area.

Procedural change of any variety messes with people. But letting sloppy security practices persist will almost certainly make you a big, fat target. Which will it be? Bureaucratic inertia tinged by persistent fear? Or the discomfort of adding overhead in order to slash risk dramatically? You may never see a commensurate reward for the latter, but personally, I prefer being able to sleep at night.

Copyright © 2015 IDG Communications, Inc.