You’d be hard pressed to find anyone who’d deny that cyber attacks are bad and getting worse. We’ve all read the headlines—major healthcare sites are hacked, entertainment companies are breached, retail chains are compromised. Attacks are getting bigger and much more frequent and the economic fallout that accompanies such an event can be devastating. But those headlines only tell part of the story.
The fact is everyone’s been hacked. You’re probably familiar with the quote by FBI Director James Comey from October 2014: “There are two kinds of big companies in the United States. There are those who’ve been hacked … and those who don’t know they’ve been hacked.” But it’s not just big companies—according to research by Computer World, 90% of companies have been hacked at one time or another. 
How is that possible with all the investments companies have made in security? Shouldn’t the solutions they’ve put in place be enough? At Imperva, we believe that traditional security – endpoint, perimeter and application – are necessary but not sufficient.
Let’s take a look at each one.
Perimeters are often your first lines of defense, but they’re also the most porous. For starters, insiders, malicious or otherwise, easily bypass the perimeter and knowingly or unknowingly compromise your data. Then add malware that leverages unsuspecting users to attack both them and the infrastructure. Finish off with applications and data moving to the cloud and you find that the perimeter becomes less and less relevant.
Hackers now target the Endpoint directly, either by conspiring with users to steal data or by duping them into opening up vulnerabilities. And, increasingly, as BYOD continues to become the norm, the company no longer owns or controls the devices that its employees use, adding to the complexity of securing them properly.
Let’s not forget the Applications. It’s tricky because you want to give people access to information through applications—that’s just the way you do business. Unfortunately, hackers are pretty effective at breaching these applications, particularly those that are accessed through the Web.
There’s another component at stake when we talk about the security risks your company faces—reputations. Both yours and your company’s. It can take years to build a solid reputation and seconds to destroy it. As companies have painfully discovered, a security breach goes far beyond the loss of data. Just one highly-publicized cyber- attack and reputations tumble—leaving a black mark that can follow a business for years.
It’s time to face the facts—traditional security just isn’t enough. Most enterprises have a purpose-built perimeter, network, and endpoint security in place, but they don’t solve the “application security” challenge. We see it year after year as we compile our findings about application layer attacks in our annual Web Application Attack Report (WAAR). If these other approaches to security solved that problem, our report would be empty. Unfortunately, we always have plenty of information to include.
Don’t get me wrong; I’m not saying that traditional security doesn’t serve a purpose. It does. But it also has an important weakness…it doesn’t protect all your business-critical data and applications.
Think about it like this: traditional security is like the type of security that you would put in our house. You would lock the door and windows. You might even have an alarm. But a talented and motivated thief will eventually get into your house. And once he does, he’ll have free reign over everything inside. To prevent that, you’d still need locks on your doors but you’d also need a smarter approach. You’d need to protect the things that really matter to you—like your family heirlooms, your expensive jewelry, and any other expensive and irreplaceable items.
The same holds true for your company. You still want to use traditional security. But mostly, you want to protect what really matters—your data and applications. Protecting data and applications is exactly what Imperva does. And by keeping them safe, we can also safeguard your reputation.
Imperva protects your structured and unstructured data where it resides—in databases and fileservers. And we protect it where it’s accessed, through the Web applications that rely on your data and drive your business. Our unique and sophisticated approach to security is the key to guarding against both outside threats and internal actors while helping your organization stay on the right side of regulations.
I hope you’ll join me in a conversation over the next few weeks as I delve a little deeper into those three areas. Please leave your comments below; I’d love to hear your thoughts on these points.