This is the second post in a security-focused series. To read the first post, click here.

When organizations experience an attack, they oftentimes want to know, “Why us?” There can be a lot of different reasons behind an attack. Here are some of the most common reasons we see:

Opportunistic Attacks

There are several unethical agencies out there that get paid to look for holes in systems, gather data or serve as the middleman in a larger scheme. Hacking can be akin to a kind of sport or achievement in the “because we can” bucket for some. It earns them internet street cred.

Targeted Attacks

Motivations vary but sometimes an attack is the result of a very deliberate effort targeted at a specific organization. Certainly large, well known organizations are at risk. Again, the lure might be simply for notoriety, or it could be to obtain very valuable personal data. It could be related to an organization’s activism or conversely the cyber attackers’ leanings.

If you’re not a large, well known organization, don’t think you are immune to targeted attacks. Have you ever had a disgruntled employee? Or do you think your competitors are above playing dirty? Through the security support that Flexential provides to clients each day, unfortunately we see the reality of how often targeted attacks can occur.

Absent Controls

Controls, or safeguards, are necessary to prevent and detect and attack, as well as to minimize the damages caused by an attack. Security is really built in layers. You can’t just have one security control – you need to have several layers and you need to be prepared. Organizations can leave themselves open to a breach if they don’t have these controls in place, if there are failings in one or more controls or if they have insufficient controls.

Controls are why it’s important to have a strong team, either on the payroll or on retainer, closely working to maintain security practices across your organization in order to protect the confidentiality, integrity and availability of your information.

I will cover controls in a lot more detail in one of the future blog posts in this series. Subscribe to this blog to receive a notification when that post is published.

Bad Luck

Sometimes, an attack will be the result of zero-day vulnerabilities. Those situations I classify as just bad luck. Of course, no one can predict when these types of incidents will occur. However, steps can be taken to minimize the damage that these attacks can cause and restore operations as quickly as possible.

It’s important to understand the reasons why your organization might be at risk. Security isn't about a tool, or a person or a product. None of that will solve the problem or reduce worry without the conversation. Security is about educating and performing due diligence to understand. Only then can we defend, protect, respond and investigate. Watch our on-demand webinar to learn about the current security landscape, why security programs fail and how to get started and maintain a mature security posture.

In my next post, I’ll share tips on how to assess security risk, and in future posts I’ll share tips for determining your risk profile and security best practices. Subscribe to this blog to receive notifications when those posts are published.