July 22nd, 2013 by Lewis MorganĀ
I overheard a conversation the other day, one which left me so stunned that Iāve decided to write about itā¦.
Two men having dinner behind me (I got the impression they were both directors) were discussing the Ā£200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I wonāt go into all the details but one of them said, āWe donāt particularly focus on cyber security, itās always large organisations which are in the news about getting hacked and being a small company, weāre not under threatā. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, letās say DELL, were hacked ā whoād make it into the news? DELL would, why? Because itās likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.
I never see stories in the news of someone being hit by a bus in my local town, but it doesnāt mean Iāll walk in front of one holding a sign saying āhit meā. Thatās effectively what this director is doing, turning a blind eye to a large threat just because heās not seen an example of a small organisation being hacked ā chances are he doesnāt even read the publications which cover those stories.
Ignorance
Itās a strong word, isnāt it? Personally I hate calling people ignorant, Iād rather use a more constructive word such as āunawareā, but I feel that using the word ignorance will raise some eyebrows.
As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.
You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? Itās all good and well having a 5 year plan which seeās 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?
2 years into your plan and youāre hitting your targets ā but youāve just discovered that thereās been a data breach and your customers credit card details have been sold online.
Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between Ā£35 ā 65K (and thatās not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.
Letās say that the breach happened because a new member of staff was unaware that they shouldnāt open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for Ā£45. But instead, you chose to ignore your IT Manager whoās been raising spam issues at each monthly meeting but all you chose to hear is āweāve not been hackedā and āinvestā which is enough for you to move on.
What your IT Manager is really telling you is āWeāve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, itās not happened yet but thereās a chance it will.ā
Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:
Inability to perceive cyber threats
Grey areas in appropriate knowledge
Naivety
Overhead cost restrictions
Refusal to listen to something you donāt understand
Absent mindedness
No interest in the customerās best interests
Careless decisions
Eventual disaster
Cyber security threats are real, so why are you ignoring them?
To save money? Tell that to a judge
You donāt understand the threats? Read this book
Related articles