It’s a fact that when we are inundated with news about a single topic repeatedly we tend to start ignoring it, pushing it out of our head and moving on to the next thing.
Sadly, this type of “Fatigue” is starting to occur in the cybersecurity space as the 24-hour news spits out commentary about Equifax, Yahoo, Deloitte, Sonic, SEC, NSA, etc. etc.
If you didn’t know there are breaches happening you are living in a bubble and probably won’t be reading this blog anyway.
In each situation that the media reports on, the root cause is different, however, many times it boiled down to plain old stupidity.
While we Brits try to be subtler, this topic requires the American approach. So, let’s look at the real definition of Stupidity. It is simply behavior that shows a lack of good sense or judgment.
The businesses in the headlines and the ones that are being breached but not making it to CNN or the BBC all have something in common, they lacked good sense and judgement in protecting their business, their brand and their employees.
If you want to have a chance at protecting your business you can start by being diligent in 5 key areas:
1. People leadership
It’s a pretty standard occurrence that if a breach occurs the CISO, CTO, or CIO will be held accountable and in some extreme cases like Equifax, the CEO takes the fall. However, to be fair, most of these senior leaders aren’t familiar with the details of everyday security protocols. They are counting on their teams to do their jobs, be the experts and raise issues to the appropriate levels. There is a lack of good sense in not creating a culture in which potential issues can be raised and not hidden in the vein hope that trouble won’t visit.
2. Patch management
Poor patch management is one of the most common reasons that breaches occur and is the epitome of ‘a poor lack of judgment’. Not updating vital systems in a timely manner means that someone in an organization is not paying attention or is simply in the wrong role. Software vendors are consistently pushing out new updates to protect their software from malicious bugs. If the team or individual responsible decides that they don’t want to implement updates because of inconvenience to employees, time required to install, or any other silly reason then, bluntly, they should be removed from decision making authority. The quickest way to get buy in and cooperation to do this is to show real examples of what happens if data is lost, stolen, or compromised. The ROI between time and value quickly becomes crystal clear.
3. Ask questions
As we get older we tend to lose some of the basic curiosity we had as children which led us to constantly ask “why.” With the complexity of securing a network or business, we need to slow down and ask the questions, even those that may seem basic, to ensure we are challenging ourselves and our people to be comprehensive. In many cases of high-profile breaches, had questions been asked of internal staff or 3rd party MSSP’s, the attacks potentially could have been avoided. We owe it to our organizations to ask and ask again until we are beyond satisfied that the crime prevention solutions in place are the best they can be.
This is becoming less and less of an issue as corporate fear of being in the headlines grows, however, the amount required to fully defend business from a cyberattack is typically far greater than is being current allocated. I always recommend that businesses look at the expense like they look at a membership to a health club. The money you are paying is an investment in your personal health and well-being. The same is true when paying for management, hardware, software and professional services for prevention of cybercrime. The difference is that it’s the well-being and longevity of a business and its employees that’s at stake.
5. Clarity of current environment
Last but certainly not least is having the good sense to understand what your current environment is. A surprising number of companies we work with had previously purchased equipment and services that were not being fully utilized or even used at all because they simply didn’t ask the right questions. Business need a cybercrime prevention platform in place that has an ability to scale in line with Company growth and not prove an unwelcome restriction. Before sourcing such a system however, we always recommend gaining a full understanding of the assets already in place before expending unnecessary people or resources.
There will undoubtedly be instances where businesses that have the correct technology and systems in place still experience a breach. On occasion attackers will simply outwit people and technology positioned to defend against them. However, the vast majority of damage is caused simply as a result of the lack of good sense and judgement.
Please don’t be stupid. Do what needs to be done to protect your business and be the example for others in your industry.
This article is published as part of the IDG Contributor Network. Want to Join?