Breaches: Avoiding 'Victim's Fatigue'

Kevin Mandia Warns Against Letting Guard Down
Breaches: Avoiding 'Victim's Fatigue'
Kevin Mandia

Cybersecurity is the only crime where the victim needs to apologize, says Kevin Mandia, founder of the data breach mitigation services firm Mandiant.

See Also: Are Security Tools Slowing Your Response?

"It's startling that it got that way," he said in a Feb. 27 keynote address at the RSA Conference 2014 in San Francisco.

Mandia offered a variation of the old saw about two types of organizations: those that have been breached and those that don't know it.

"If you're an F in cybersecurity or an A in cybersecurity, an attack has the same chance of being successful," Mandia said. "If you're an F in cybersecurity, you never find out and your boss says, 'Whew, nothing happened.'"

Organizations with a grade of A will learn from their experiences and take steps to mitigate future breaches, he says. But unfortunately, many of these organizations soon become vulnerable again.

Here's how Mandia put it: Victims of cyber-attacks expand their IT security teams shortly after the breach and aggressively combat the attackers. Six months later, after no new breaches occur, management thinks, "You know, we don't have to do this stuff anymore." The top cybersecurity experts hired to prevent future breaches get bored and move onto more challenging jobs. Then, the company gets breached again.

He characterized this syndrome of companies letting their guard down as "victim's fatigue."

Mandia said it isn't that cyber-assailants are smarter than IT security pros hired to safeguard systems. But attackers need only to break into one device, whereas IT security specialists need to protect thousands of devices. "It's easier to shatter crystal than to shape it," he said.

Mandiant, acquired for more than $1 billion in December by FireEye, came to prominence a year ago when it released a report directly implicating the Chinese military in cyber-espionage (see 6 Types of Data Chinese Hackers Pilfer).

In his address, Mandia revealed that his firm had intercepted resumes of members of the Chinese attack team bragging about their assaults on Western organizations.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.