Perimeter Security Investment and the Sunk Cost Fallacy
Why do organizations continue to invest in perimeter security even when data suggests it is not stopping hackers? Because of how much they’ve already invested in perimeter security, of course!
A lesson that events and the news cycle have communicated loudly to organizations in the last decade is that cyber threats evolve and that legacy security technologies and protections, while necessary, are not sufficient to stop new attacks and sophisticated actors.
Despite that, information technology professionals continue to bet and bank on perimeter protections like firewalls as the backbone of their information security programs, even as threats and employee work patterns undercut the effectiveness of those technologies.
That’s the conclusion of a new survey of more than 1,000 IT “decision makers,” which finds that businesses continue to prioritize perimeter security “without realizing it is largely ineffective against sophisticated cyberattacks.”
According to the research, which was commissioned by the firm Gemalto, more than three quarters of respondents (76%) said their organization had increased investment in perimeter security technologies such as firewalls, intrusion detection, antivirus, content filtering and anomaly detection to protect against external attackers, even though two thirds (68%) believe that unauthorized users could access their network anyway, and more than a quarter (28%) have seen their perimeter security breached in the past 12 months.
Even worse, companies acknowledged that attackers who do get past their network perimeter will encounter few obstacles. Over half of respondents (55%) to the Gemalto survey admitted they do not know where all their sensitive data is stored. Around a third of businesses do not encrypt valuable information such as payment or customer data. And, on average, less than 10 percent of data breached (8%) was encrypted, Gemalto found.
Firewalls, security gateways, intrusion detection systems (IDS) and other perimeter protections have been mainstays of enterprise information technology security for more than two decades. They’re important and necessary tools that thwart a wide range of low-level, malicious activity. But cybercriminals figured out ways around them long ago, and all the while computer use patterns shifted to make them less effective at stopping threats.
Targeted attack strategies like phishing and watering holes have proven effective at poking holes in the perimeter. Today, attacks like SQL injection might penetrate firewalls to target applications directly. Hackers target individuals via the web and social media with malicious files attached to email messages or embedded in a web page that the employee visits. Such attacks sail through a firewall and establish a toe hold behind it. A phishing attack that successfully harvests an employee’s login credentials allows the attacker to impersonate a legitimate user on the network and exploit his or her access permissions, from which sophisticated attackers can move laterally within a network environment and compromise other, vulnerable systems.
These kinds of attacks aren’t merely hypotheticals. They’re behind most substantial compromises you read about these days. And IT professionals seem to recognize this. Just 42% of respondents to Gemalto’s survey said they believe that their organization’s perimeter security systems are very effective at keeping unauthorized users out of their network. Still, organizations seem intent on putting more money towards existing security technologies, rather than investing in new ones. Gemalto’s survey found that over the past five years, around three quarters (76%) of respondents’ organizations have increased their investment in perimeter security, while just 7% have decreased it.
What’s going on here? Why continue to throw money at technology that you suspect (and evidence suggests) isn’t working all that well? One explanation is a glitch in human reasoning known as the “sunk cost fallacy.”
Sunk costs, of course, is a term borrowed from economics (or accounting) that refers to money that has been spent by a business and cannot be recovered – think research and development into a new product or marketing expenditures to promote an event or brand. The sunk cost fallacy comes into play when individuals or organizations make what we would consider irrational decisions about the future based on past expenditures. Say the R&D you paid for suggests that a new product isn’t likely to be commercially viable. The smart thing to do would be to walk away from the product. The sunk cost fallacy would dictate to pursue the product anyway in consideration of “all the money we’ve spent researching it!”
A similar psychology may be at work with the perimeter defense survey. Companies are continuing to throw money at firewalls, IDS and email gateways in consideration of all the money they’ve already spent on those technologies. To simply pull the plug on them and redirect spending to different kinds of solutions would be to admit that the investment in the technology did not pay off – at least not in the long term. So, instead, companies beef up spending on those technologies they’ve already invested in, then watch as hackers sidestep them, incurring further costs to the organization.
As with any problem, securing corporate networks requires clear-eyed assessment of risks and options to address those risks. The Gemalto survey, if nothing else, revealed that such thinking may be missing in many organizations, where perceptions about the effectiveness of technologies appear to diverge from both the facts of how effective they are at stopping attacks and from the investment strategy of the organization. Until organizations can muster that kind of vision, we shouldn’t expect that the statistics on breaches and data theft to improve.