Here's why companies are still getting hacked

Massive data breaches like the ones that exposed users of adultery site Ashley Madison and Sony Pictures' gender pay gap, are happening with increasing regularity despite all the money companies are throwing at the problem. Here's why:

Companies believe traditional methods of protecting their infrastructure will keep the "bad guys" away. But, with employees using devices like tablets, smartphones and laptops to conduct business, hackers have more opportunities than ever to gain access to critical information. Technical teams tend to focus primarily on anti-malware software or "state-of-the-art" firewalls but all of these solutions are designed simply to keep unauthorized persons out of the network.This is exactly the scenario that hackers want because once they're inside — the data are free for the taking. It has been proven over and over again that keeping the "bad guys" out is ineffective. Hackers know this fact — and they exploit it. By the time a company reacts, it's too late.

Participants at a hacking conference.
Getty Images
Participants at a hacking conference.

Data breaches can wreak havoc on businesses for many reasons. First, there's a financial impact. Cybersecurity studies provide wide-ranging estimates for the costs of breaches, from averages of 58 cents per record stolen to $159 to $174 per record stolen. The true long-term cost of a breach is dependent on a number of factors. Enterprises may need to reimburse employees or customers, pay fines leveraged by regulatory bodies and deal with a damaged reputation.

Post-breach responses do nothing to truly protect against the "next one." The noise raises the demand for more cyber-spending, better threat-prevention tools, more security professionals and so on. However, the threats change too rapidly for prevention tools to stop breaches 100 percent of the time. This cycle is reactionary at best and routinely fails to protect an organization's most precious asset – its data. This is why it's time to rethink cybersecurity at a fundamental level.

To truly keep a company's data safe, it must employ a multi-layered approach to cybersecurity that focuses on data protection. This methodology protects both the network AND the data. It also protects from both outsider AND insider threats. Finally, it prepares the company to counter each stage of a cyberattack. These layers include things like encryption, multi-factor authentication and access permissions. Just because cyber-criminals are making it through the door, they shouldn't be able to walk out with the crown jewels — the sensitive business data — tucked under their arms.

When data are protected at this level, the cybersecurity strategy is providing real business value, rather than creating a liability. Make no mistake, the capital expenditures for a solution that provides holistic protection will be higher than the tactical, box-checking approaches. But that investment will pale in comparison to all the costs of dealing with a major data breach, no matter what measurement is used.

Commentary by Ken Levine, President and CEO, Digital Guardian, a provider of next-generation data protection technology. He previously served as SVP and General Manager at McAfee (now Intel Security).