Creating a Culture of Security
Too many organizations treat IT security exactly the same way they treat something like sexual harassment training: it's something irritating you have to pay attention to, but it isn't really at the core of your business. It's a box you have to check. You have to say you care a lot about it, but in reality, you try to ignore it unless it rears up and slaps you in the face.
But IT security is very much -- or should be -- a core part of your business.
Even the tiniest businesses have information that attackers would love to possess --the personal information of a patient (invaluable for identity theft), credit card numbers (valuable in and of themselves), customer contact information (great for building marketing lists to sell to competitors), you name it. For the most part, attackers aren't after your company's "core information." They're after the incidental information that you collect as part of doing business. There's a massive black market for that information -- there's really money here.
Let's state that even more clearly: IT attacks are a business. There's profit to be had.
And the penalties, should you be the victim of an attack, can literally shut you down. Look at the fines and damages Target is paying, which is estimated to be more than a billion dollars. If that happened to a small restaurant -- a far easier target, with just as juicy an information store -- it'd be out of business overnight.
Security has to become a core part of your business. You have to protect yourself. This isn't like a sexual harassment lawsuit, which you might be able to financially survive. A single hit in an IT attack can ruin even an enormous corporation. And I'm not just taking about brand damage and loss of business or customer confidence; I'm talking about real, financial damages, payable immediately.
One attack. That's all it takes.
Now you have to look at your corporate culture and ask if you've cultivated a culture of security. Do your employees routinely consider the security implications of their at-work actions? Do you have regular training sessions to help remind them to be vigilant?
Do you have a central security effort? I'm often amazed at the companies that don't. I recently delivered an on-site seminar for a fairly large client. Before I could show up, their risk mitigation folks demanded proof of my auto insurance, my general liability insurance certificate, proof of worker's compensation insurance and more. Yet that same company allows internal divisions to stand up new public-facing Web sites at almost any time. The company's own IT people have to scan their own public IP addresses to find out about new stuff. That's completely unbalanced -- you're worried about a single contractor not having insurance, but you're not worried about Internet-connected data spews?
Companies' cultures need to change. You need to become concerned about every new piece of software, every new connection and every new piece of data -- whether or not you're required by law to care. If some piece of software doesn't contribute to your core business, don't allow it. If some new Internet-connected service isn't part of your mission, don't connect it. But if you do allow it, and you do connect it, then you have to secure it. Your culture needs to abhor uncontrolled new data stores, connections and pieces of software. You need to consider every access to your resources, including that HVAC vendor whose password will be stolen. Yes, your corporate culture needs to get a little paranoid.
You need defense in depth. Two-factor authentication should become the minimum bar in every company, of any size, ever. Waiters at a restaurant should have to swipe their card and key a PIN, not one or the other, in order to access the point-of-sale system.
This is the world we live in now. Hacking companies of all sizes is big business, and it's just a matter of time until someone tests your defenses. You have to get ahead of this bus, because otherwise it will run you over, eventually.
It amazes me that companies aren't taking the example of Target, Neiman-Marcus, and Equifax more seriously. You are next. Rely on it. And start changing your corporate culture to acknowledge the reality of the world today.
Posted by Don Jones on 04/23/2014 at 1:20 PM