Is a Catastrophic Cyber Compromise a Black Swan Event?

The short answer is no. Wikipedia describes a Black Swan event as one that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight. There’s a lot more to it than that but this definition will suffice for this blog. The attacks on 9/11 would be considered an example of a Black Swan event – it meets all of the criteria outlined above. Many cyber attacks meet the major effect component of a Black Swan Event; however, today we see an inordinate amount of successful cyber attacks around the globe. This means that these attacks are somewhat commonplace and definitely not rare or surprising events (at least to those of us that follow this space). 

These cyber attacks cause an enormous amount of damage for organizations in the commercial and government worlds. The damages typically result in financial, reputational, decreased market share, and now quite often, job loss for senior executives and sometimes board members. Why? Many of these organizations have typically spent large sums of money on their cyber security infrastructure and are quite confident that it’s robust enough to withstand attacks. This is a common misconception. Adversaries are bent on stealing intellectual property, national secrets and  data for financial gain, or simply destruction.

And it’s not a fair fight. Cyber defenders must stop all attacks, while adversaries only need one gap to get into an enterprise.  Many organizations are not aware of the risk due to their misplaced trust in their security architecture they perceive as invulnerable. Security architectures must be reviewed frequently, along with the associated security processes of the experts that maintain and monitor it. In our field, complacency equals compromise.

Threat intelligence is also important for organizations to bake into their infrastructure and processes. This gives cyber defenders critical information on attacker,s and allows them to utilize this data to hunt in their environment for signs of compromise based on known patterns from specific groups. On average we’ve seen attackers compromise systems and go undetected for over 205 days. That’s a long time to look around someone’s enterprise environment, and certainly enough time to steal almost anything. Another disconcerting fact is that more than 67 percent of the time, the compromised organization never even identifies the fact that they’ve been breached. Instead they’re notified by law enforcement or some other third party. Again, we can blame misplaced trust in their security architecture. 

Other organizations haven’t spent a lot of their IT budget on a security architecture because they don’t believe their data is important to a would-be adversary. Another common misconception. Attackers typically have a use for data from most organizations – and even if they don’t, an enterprise could end up as part of the attacker’s command and control infrastructure, ferrying stolen data from other compromised enterprises or worse yet, used in an attack on someone else.

Our advice? Your organization should do a quick web search to learn about any breaches in your verticals. We warn you—misplaced trust in your security architecture may make this exercise uncomfortable. In the end though, it’s important to understand that cyber compromises are not a Black Swan event; they’re becoming more common and will likely impact you, sooner or later.