A Question With Many Answers
The reasons for this reality are numerous and complex. There’s no one thing you can point to as the reason why a growing number of hacks are successful. Part of it stems from the fact that it has always been easier to destroy than to create. That simple truth automatically puts the defender at a disadvantage.
Fixed point defense like that is also inherently reactive. You can’t defend against an attack until it happens, which means that most of the innovation is going to come from the attacker. That puts the defender ever behind the curve and always having to play catch up.
Those things go quite some distance in explaining why so many breaches are successful, but they don’t explain everything. The sad reality is that many successful breaches use very old tricks. Phishing emails have been around in one form or another for a long time. Sure, they’ve gotten more sophisticated over the years, but the concept is tried and true.
The three biggest problems, and the three biggest reasons why the landscape never seems to change in the corporate world is because it seldom actually changes. Sure, after a breach has occurred, you’ll see companies rush to deploy a specific patch to plug a specific hole, but you almost never see a broad based, deep-pocketed security response by a company that puts a cutting edge, truly robust security system in place. Those reasons are as follows:
Profits, Profits, Profits
In the drive for ever-increasing profits and productivity, companies see expenditures on security measures as extremely expensive insurance. They not only cut down on productivity, but their cost to deploy and maintain drags down profits. Not knowing if or whether an attack will occur, many companies simply prefer to keep profits high and play the odds.
Cult of Personality
A lot of the problem also stems from business owners. You can’t make a name and a reputation for yourself as a Captain of Industry if you turn in average to below average growth and profit numbers. Sometimes, ego gets in the way of doing the right thing for the business in the longer term. It’s an unfortunate truth, but it’s certainly not unheard of.
Listening to Vendors
Many business owners feel that vendors are the experts in their field, and as such, they should be listened to. That includes security vendors. What is often overlooked is the fact that security vendors are companies too, and like your business, they’re chasing profits. It’s fairly common practice for security companies to “hype” certain scary-sounding but relatively marginal threats, then sell high priced solutions to those problems which diverts badly needed corporate resources away from the fundamentals. Again, it’s unfortunate when it happens, but it happens more frequently than you might imagine.
All that to say that there’s no one answer to the question that explains the matter whole cloth, but there are several major components to bear in mind.