As I said in my last blog, I am about a year and a half into my Pre-Sales Engineering role and lately I am running into the old motto “the more things change, the more they remain the same”.
Most likely at some time in our career, we’ve worked for a company that continuously lacked funding, organization, or heck even overall people skills! I hope none of you are currently at such a company and I offer my sympathy if you are. However, in talking to many new and existing customers this year, I am surprised at how many choose to look the other way, take the “not me” approach, or flat out admit there won’t be funding until a breach occurs.
Now, don’t get me wrong, there are still plenty of companies that are doing the right thing and working to make their organizations as secure as they can, but what about these other folks?
- Choosing to look the other way
- “Not me”
- No funding until there is a breach
“Choosing to Look the Other Way” - We see it and hear about it almost every day. Granted there are varying degrees. Seeing someone invoke the five-second rule at a restaurant, is far different than causing financial or reputational harm. So, I think many of these individuals choosing to look the other way at their company’s security flaws are likening them to the five-second rule, rather than more serious harm. However, when a person drops their piece of food on the floor and then quickly picks it up and brushes it off to eat, they are only affecting themselves. No one else is impacted by that decision. On the flip side, financial and brand damage can impact the entire organization. Harm to customers, brand damage and financial losses as the result of a breach can have serious consequences for a company. I would like these security people to understand the differences and “do the right thing” when it comes to securing their company's data.
“Not Me” - These folks remind me of playing tag as a kid, ha-ha! The thing here is that just like playing tag, after enough rounds you become “it.” At this stage of the breach game, I think all of us, as individuals, have been a victim at least once. So, as a victim, how do you go to your job in security and be okay with “Not Me?” Then there is their mantra, "we aren’t “a big blah, blah, blah company; we aren’t a target." Hmm, I am sure everyone on this list of all the cyber attack victims in May of 2019, might disagree. Again, I would like these folks to have a chat with Captain Obvious and “Do the Right Thing!”
Our last group, “No Funding Until there is a Breach” – This is just unfortunate, and I see them as complacent. They know they need or should have protections, but they can’t or don’t make the appropriate case to change their fate. They seemingly just get by in their day to day security position until one day they are faced with a breach and are scrambling for protection. Perhaps paying ransom fees or GDPR fines. These people should be “Doing the Right Thing” and think of their careers! Look at the Lake City employee who was fired after paying the ransom. Then there is a very interesting perspective described by John Pescatore, Director of Emerging Security Trends at the SANS Institute. In the UK’s Information Commissioner’s Office to Fine British Airways for GDPR Violations, he stated, “using typical numbers, the fine conversion to US is $229.45 million, about 6% of BA’s 2018 profit. It represents about $40 per record exposed, while the typical hard costs (dealing with the problem, communicating with impacted customers, providing credit check services, dealing with lawsuits, etc.) are typically $50 to $75 per record or another $250M. So the total cost of this one incident is about $500M or over 10% of BA’s 2018 profit. The cost of avoidance of a security issue, by making sure the web software didn’t have easily exploited vulnerabilities before it was allowed on the website, would have been less than 1% of that eventual cost.” This is a very powerful line of thinking. As the old saying goes, “a stitch in time saves nine.” It’s true in so many things that we do!
Lastly, I leave you with Merriam-Webster’s definition of security:
something that secures: PROTECTION (1) measures taken to guard against espionage or sabotage, crime, attack, or escape (2) an organization or department whose task is security.
If your job involves security you owe it to yourself, your company, and most importantly your customers to “do the right thing” and protect your environment to the best of your ability.
List of all the cyber-attacks in May 2019:
Lake City employee who was fired after paying the ransom :
Editor’s Note of UK’s Information Commissioner’s Office to Fine British Airways for GDPR Violations – July 8, 2019.
Another good source of data to use in briefing CEOs and Boards: Using typical numbers, the $229.45M(US) fine is about 6% of BA’s 2018 profit. It represents about $40 per record exposed, while the typical hard costs (dealing with the problem, communicating with impacted customers, providing credit check services, dealing with lawsuits, etc.) are typically $50-75 per record, or another $250M. So, the total cost of this one incident is about $500M or over 10% of BA’s 2018 profit. The cost of avoiding making sure the web software didn’t have easily exploited vulnerabilities before it was allowed on the website would have been less than 1% of that eventual cost.