Or you probably have been and you don't know it yet. It is not a matter of "if" rather than "when". There are several reasons for making this claim and let me list some of these:
- The hackers are extremely intelligent - and more motivated than people who work for you
- You are dependent only on your standard practices for cyber security which is often determined and predicated by a small team of "specialists" - in most cases specialists are limited by their knowledge and in various studies are known to effective 20-40% of the time depending on context of the work.
- The hackers have become sophisticated - if you see the example below included in the reference, the North Korean hackers have prepared immensely and strategically for their hack. Several pieces of the puzzle have fallen into place all at the same time - including the Bangladeshi and US banks, the banks in Vietnam in order to draw the money out and so forth.
- You penetration tests are a whitewash and a lip-service. Often, you go through motions of a prepared plan to do a security drill which leads to more complacence.
- More and more, the hackers are playing the long game. If you look at this story about the North Korean hackers they have waited for over a year or more inside the network. Patiently until the timing is right.
What might potentially help:
- An ability to engage all your people to overcome hacks - especially in technology where making it their ownership to find holes, not follow blind rules and processes.
- Reduce your over-dependence on specialists - again derive common rules using them as a starting point, but get broad based technology group support in owning it and implementing and evolving it. A thousand eyes are better than 30. In a nutshell, it is a people game. Treat them and involve them well.
- You are always going to months behind on technology. Your technology is always going to have holes and zero-day exploits. Accept that. Firing your next CTO as blame when things fail is not going to improve things. In fact, a CTO with more failure will have more experience than the one with a blemish less track-record.
- Practice techniques like Chaos Engineering (Chaos Monkey, Chaos Gorilla, etc.) - but you probably wont because your infrastructure is not going to be good enough to pull some plugs Tuesday at 10 AM peak business hour.
- Play the long-game. Your short-term plans and fixes are not going to work from a planning and budgeting standpoint. Plus use multiple external vendors to break and impregnate your networks with different hacking approaches. One company wont just do it.