This month, we close the 10-year anniversary of one of the worst years for data breaches in history. 2013 saw some of the largest breaches on record, with threat actors exfiltrating millions of people’s data and costing organizations hundreds of millions in remediation.
Fast forward a decade, and data breaches continue to plague organizations. It raises the question: Have we learned anything?
This blog post explores the ways cybersecurity over the past decade has experienced pivotal shifts — but in many ways has stayed the same — and why that matters for the future of security.
The 3 biggest changes to cybersecurity in the last decade
There have been countless changes to the security industry in the past 10 years, but it’s important to highlight three of the most pivotal. These shifts have reshaped the way we approach security.
1. The realization of inevitability
The most profound transformation in cybersecurity has been the awakening of CEOs and CISOs to the realization that it’s an impossible feat to stop all threats. This critical mindset shift represents a departure from the conventional belief that pouring more money into acquiring technology would automatically fortify security.
Until a few years ago, the prevailing mentality was that more technology equaled more safety. This caused organizations to increase cybersecurity budgets without considering their underlying belief system or strategy for security. Fortunately, adopting this kind of approach today would lead a CISO out of a job — but what fills that security strategy vacuum is more important than ever.
The fact is that breaches persist. Organizations are realizing that the traditional approach to cybersecurity isn’t as effective as once believed.
The fact is that breaches persist. Organizations are realizing that the traditional approach to cybersecurity isn’t as effective as once believed. They’re increasingly turning toward a Zero Trust approach based in the reality that breaches are inevitable and adopting foundational technologies like Zero Trust Segmentation to contain breaches when they happen.
2. From merely responding to surviving breaches
It’s encouraging to see the paradigm shifting from organizations focused solely on responding to attacks to actively surviving them. Cyber resilience is increasingly built in to organizations’ cybersecurity strategy.
Accepting the inevitability of breaches has helped organizations to be more transparent in disclosing incidents. This transparency, coupled with the implementation of effective breach containment strategies, is crucial in limiting the impact of breaches.
This requires a mindset shift for business leaders, in particular. When cybersecurity incidents are inevitable, so are losses resulting from those incidents. It’s impossible for their security teams to completely prevent all breaches. When breaches occur, they must result in manageable losses. This requires both technological and mindset changes within leadership that encourage a breach containment approach alongside traditional prevention and detection.
A positive example of this is the implementation of breach containment strategies by running shoe retailer Brooks. Both business and security leadership at Brooks acknowledged that a cyberattack could cause major operational and reputational damage. By implementing Zero Trust tools like Zero Trust Segmentation, Brooks ensures its systems allow customers and retail clients to procure products to run securely.
3. Increased cybersecurity legislation
Government security mandates are essential for establishing frameworks and standards. In the past few years, global governments have increasingly adopted new legislation to combat ever-evolving cyber threats, including the U.S. government’s Executive Order 14028 and the European Union’s NIS2 and DORA directives among others. Nearly all of these directives have adopted a Zero Trust strategy that encouraged organizations to adopt a “never trust, always verify” approach.
Despite the focus on cybersecurity at the highest levels of government, many of these mandates have 10-year transformational or compliance plans which are unlikely to align with the rapid pace of innovation by the cybersecurity industry and threat actors alike.
It's necessary to adopt agile regulations that can keep pace with emerging cyber risks, ensuring that public and private sector organizations remain resilient in the face of rapidly changing threats.
2 constants in cybersecurity that need to change
2013’s data breaches may have been a cybersecurity wake-up call. But they didn’t change these two fundamental constants.
1. Reactivity to “breaches of inconvenience”
Organizations are still fixated on addressing immediate "breaches of inconvenience," making them inherently reactive to the evolving threat landscape.
The ongoing MOVEit data breaches have highlighted the fact that while security incidents are unpredictable, they're also unavoidable. Cyberattacks have transcended being solely a security issue; they’re now an operational challenge, threatening the very core of organizations’ operations and availability.
Cyberthreats are evolving so quickly that traditional prevention and detection isn’t enough to build cyber resilience. Instead of trying to react to every new attack tactic, organizations need to proactively prepare for breaches by implementing breach containment technologies, starting with Zero Trust Segmentation.
2. Security warnings keep cybersecurity stuck in status quo
Despite the prevalence of breaches, the cybersecurity community has not yet witnessed a catastrophic cyber event. Incidents like the attack on Colonial Pipeline in 2021, while causing minor disruptions, have not reached catastrophic levels. Unfortunately, it’s likely that the conversation around cybersecurity will only truly change when a catastrophic event occurs.
Unfortunately, it’s likely that the conversation around cybersecurity will only truly change when a catastrophic event occurs.
Every new breach is an indicator of potential future threats that could cause a catastrophic impact, especially those to critical infrastructure. The looming question is not if but when a catastrophic cyber event will take place, with potential impacts on the banking system, electric grid, and healthcare.
A breach prevention mindset can’t prepare us for catastrophic attacks. Organizations across all industries, geographies, and scales must adopt breach containment strategies to ensure the next attack doesn’t have the opportunity to become catastrophic.
Looking back at the last decade of cybersecurity underscores the need for a shift in mindset and approach. The acceptance that breaches are inevitable should drive organizations to focus on survival strategies, effective containment, and minimizing losses. The combination of innovative technologies, strategic investments, and a resilient mindset will be instrumental in overcoming the challenges posed by the persistent and evolving nature of cyber threats.