Litan’s view is based on 12 years as a security analyst, and other analysts tend to agree with her. One of the more hopeful ones, Robert Westervelt of market research firm IDC, said he sees a bright future for enterprise security, even though the road is fraught with difficulties.
“I don’t think enterprises have gotten worse at cybersecurity, but they are dealing with complexities that they didn’t have to deal with 10 years ago,” Westervelt said. “It’s two steps forward, and then external factors make you take a step back. It’s a neverending story. We’re always playing catch up.”
One of the more critical voices is analyst Patrick Moorhead of Moor Insights & Strategy. “The private sector isn’t doing nearly as much as they should and could be doing with security,” he said. “The tools are available for identity protection and file protection, but the reality is that they aren’t using them. It used to be that software wasn’t available, but that is no longer the case and, really, enterprises are just putting up excuses at this point.”
Jack Gold, an analyst at J. Gold Associates, said security in the enterprise is always evolving. “As security covers up one flaw, another is found and exploited by the bad guys,” he said. “There really is no way to assure 100% security as we’ve seen numerous times.”
Human error is the biggest risk factor, as in the case of ransomware.
“Somebody clicks on a file he or she shouldn’t have and it infects the system from the inside,” Gold said. “Companies spend massive amounts on securing against outside threats, but a simple email message containing a hack can bypass all of that.”
Gold said his research has show that companies tend to fall six months behind, on average, in providing security patch updates. “That’s like leaving the front door unlocked when you know burglars are in the neighborhood.”
Gold said his impression is that enterprises are “probably” doing better than they did on security than a decade ago, but there are now more attacks than ever.
How an attack could unfold
Litan described one example of how a hack works: Foreign states, including China, are able to target human resources data at a private defense contractor’s manufacturing plant to get information on all the Americans working there.
“They can find out where all the workers’ kids go to school, then email one of the engineer’s teachers to say one kid’s been acting up, so please come to school as soon as possible,” Litan said. “That engineer’s likely to open that email and, then, get infected with some kind of malware.”
A foreign state, or even a criminal gang, also might try to recruit the engineer to share design secrets for a new manufactured product, even one under contract with the U.S. Defense Department. Or, the malware could sit inside a system for a long time, grabbing up bits and bytes of passwords stored in memory that eventually allow the hackers to gain access to more secure portions of a corporate network.
Sign up for CIO Asia eNewsletters.