Has every company really been hacked? Is every company really going to be?
A popular meme in the information security industry is, “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”
And the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.”
The first is used more often than the second, but the second is more likely closer to the truth. Both are used to put the fear of the infosec gods into businesses and government agencies. Given the rash of breaches over the past couple of years, the memes and the headlines seem to reinforce each other.
But is it true that there are only “two kinds of enterprises (2KoE)”? That every organization has already been hacked (whether they know it or not), or will be if they haven’t been? Are these 2KoE memes based in reality, and do they help or harm the industry’s efforts to get organizations to take cyber security seriously?
Has Every Enterprise Really Been Hacked?
Part of the challenge in answering is defining what “hacked” (or “breached” or “compromised”) means. Few organizations might suffer a mega-disaster like Target, Anthem, or OPM, but virtually every organization has lost a device or USB drive with sensitive data on it, or been infected by malware when an employee clicked the wrong link, or had a consultant accidently(?) take files home for his or her next gig. So by that measure, you might be able to say that “every enterprise has been compromised.”
One piece of quantitative data comes from a 2014 FireEye / Mandiant report, which stated that 97% of the organizations it analyzed had been breached, meaning that “at least one attacker had bypassed all layers of their defense-in-depth architecture.”
And here’s some qualitative or anecdotal evidence: former Director of National Intelligence Mike McConnell has said the Chinese have hacked into every major American company: “We’ve never, ever not found Chinese malware.”
Such observations would seem to be borne out by the new breaches that have come along every few days for the past couple of years. This grim period has cast a harsh light on the weak cyber security among some of the best-known consumer and industrial brands as well as government agencies and the military.
It’s also true that every company, no matter how small, is a potential target for an attack. Bad actors often assume these companies pay less attention to cyber security and have fewer resources to put toward the problem. And, they may not be looking for money or corporate intelligence. They may just be hacking into your system to see if they can hack into a juicier target from there.
It’s all enough to lead Cisco’s CEO and CSO to say that “If the past year has shown us anything, it’s that companies should no longer ask if they are going to be hacked and instead when.”
John Klemens, Telos Corporation’s technical director of IA solutions, doesn’t believe that every organization has been breached, nor does he believe that breaches are inevitable. However, “If your enterprise is a high-value target due to what you have, then ‘inevitable’ becomes a much more appropriate word.” He adds that “breaches are certainly possible at every organization, because every organization has people, facilities, and equipment — all of which are breachable.”
Telos CSO Rick Tracy also doesn’t believe breaches are inevitable, rather calling them “likely or probable.” He likens them to traffic accidents. “If you drive, it’s probable that you’ve had some type of accident or will someday. It’s not guaranteed, but it is possible or even probable.”
Tracy says that the likelihood and severity of a car accident is determined in part by how and where you drive — and there are some obvious analogies to cyber security and breaches: what industry you’re in and what types of data you have help determine your chance of being targeted. (This dynamic is reflected in cyber insurance premiums, where rates for retailers and healthcare firms have jumped in the wake of devastating breaches in those industries.)
However, Klemens adds, “There’s no perfect security, and security isn’t an endpoint — it’s a never-ending journey. Organizations can go to great lengths to reduce the likelihood of breaches, but eliminating them altogether? That’s not possible.”
Should Infosec People Stop Using the 2KoE Memes?
So for argument’s sake, let’s agree that all companies are at least at risk and need to be prepared. Does threatening enterprises with the “2KoE” boogeymen help or hurt the industry’s effort to get people to take information security seriously?
Do these memes convey any value to companies that want to do the right things? Or do they just give lazy companies air cover, easing their sense of guilt and responsibility when a breach happens?
In a way, the 2KoE memes are tinged with the same kinds of “moral hazard” issues as cyber insurance and other forms of insurance. Just as knowing that you’re covered for breaches might lead you to take more risks in your security practices, being told “you’ve already been breached” might help you “give yourself permission” to let your cyber guard down.
Developer and web security specialist Troy Hunt, in a “comment conversation” with me about one of his blog posts, suggested that these memes are “a bit simplistic…The statement is made in such a Boolean way, but there’s a lot more to it than that…I’d hate to see a mindset that’s basically ‘well we’re going to get hacked anyway.’”
Telos’s Rick Tracy agrees that the 2KoE memes don’t really serve a purpose other than trying to shock people and get them to understand how pervasive the cyber security problem really is: “The trouble with these statements is that they’re difficult, maybe impossible, to disprove.”
The other issue, Tracy suggests, is that the memes imply that you shouldn’t feel bad about being breached because it happens to everyone — literally, according to the meme: “You might argue that it serves to send the wrong message: ‘Don’t worry. It happens to everyone. Go back to sleep.’”
Bromium co-founder and CTO Simon Crosby states this even more bluntly: “Your organization does not have to fall prey to the fatalism of the ‘you’ve already been breached but don’t know it yet’ set. Those are the narratives of executives who know they are failing and seek solace in collective failure.”
So has every enterprise literally been breached? Probably not. Is every enterprise likely to be breached? Perhaps not, but given the increasing rate of breaches and the interconnected nature of commerce in the 21st Century, it makes sense for every enterprise, large and small, to take every reasonable precaution to protect themselves.
If information security professionals continue to use the 2KoE memes, they need to provide some real-world context and recommendations with them in order to bolster their clients rather than allowing the memes to foster hopeless resignation. They need to encourage their clients to know the threats, know their vulnerabilities, do all they can to remediate them, manage the risks involved, and be prepared should a breach occur.
Update, 12/19/2018: Cybersecurity expert and author Richard Bejtlich has published a thorough and thoroughly fascinating blog post on the history of this meme: The Origin of the Quote “There Are Two Types of Companies”