Although your mother always told you to learn from others’ mistakes, that is a tall order when having to make choices between which activities you’re going to commit your scarce resources to. Like many things, when it comes to IT security, once the cat is out of the bag the costs of not having data security solutions is always astronomically higher than you originally imagined.
And while it may seem like digital forensic analysts can perform miracles with data; breathing life back into that document that was accidentally deleted, recovering some artifact that clinches the matter or being able to determine all the steps that an attacker took to gain access to the system, the reality is that in most matters only a small amount of useful information is available for analysis. Imagine what we could do if we actually had all of the information that is potentially available at our disposal! So often we walk into organizations that have ignored their IT security that information that would have been extremely useful has already disappeared or worse, was never even collected in the first place.
So why is it that we’re often forced to work with less than the ideal?
There are a number of reasons, with the most popular being highlighted below:
- Don’t know what we don’t know
- Misperception of the real risk
- Scarcity of resources and need to prioritize
- Lack of focus on anything short of “fighting fires”
Let’s take a look at these in a little more detail. Future posts will look at strategies that you can use within your organization to address these shortcomings.
Don’t Know What We Don’t Know
We have become so inundated with technology that there is an acceptance that the underlying complexity of the technology of days long gone has disappeared. Fool-heartedly, we believe that we know and understand what is really happening with the devices we interact with day-in and day-out. I recently read an interesting statistic that indicated the average number of hours that it takes to become an expert on something is 10,000 or more hours. Anything short of that and it’s easy to get lulled into thinking that that new fact you just learned about is the last thing you need to know. In my experience there are quite literally thousands of these little tidbits. Those are the kinds of things that come to light the further we venture down that road of becoming an expert. The reality is that very few of us truly reach the level of expert in anything other than our true discipline. The fact that technology has increasingly become easier to use from an end-user standpoint lulls us into a belief that the little bit of knowledge that we have gained puts us at the summit without ever realizing that the mountain we thought peaked at 5,000 feet really has a summit of 25,000 feet. Quite simply most people just don’t know what they don’t know. This is extremely dangerous when it comes to an area as broad and deep as IT security. It leads to a belief that the steps put in place have adequately addressed the risks, that the “right” information is being collected and retained, and that the organization is immune from attacks.
Many organizations fail to take proactive actions to shore up its privacy and data security because they possess just enough information to allow them to feel comfortable about the decisions that they have made.
Misperception of the Real Risk
In almost every situation where we have discussed performing a comprehensive evaluation (IT Audit/Review) of an organization’s IT security OR in those situations that we have been called in after-the-fact to assess a breach, we are told that the organization doesn’t have “critical information” that attackers would be interested in. Okay, so they may be partially right — they’re not going to be a target of corporate espionage or state-endorsed hacking from some 3rd world country looking for military secrets. In the early days of the Internet, those may have been the only reasons why an organization was a target.
The reality today, however, is vastly different. Every organization that has a presence on the Internet is a target! Every organization. Period. In fact, the less an organization does to protect its infrastructure, the more likely it is a target simply because it can easily be compromised which allows attackers to shield themselves from being identified by hiding behind a chain of organizations that have been “owned” by the attacker.
Don’t fall victim to the belief that as an organization you don’t have anything of value to an attacker. Many attackers are happy finding value in the use of your Internet connectivity, the shroud your organization’s identity provides to the attacker and the computing resources of the organization.
Scarcity of Resources and Need to Prioritize
No matter what size organization you are a part of, you are faced with constraints on resources. With a scarcity of resources, organizations must prioritize where resources are spent. And since IT security doesn’t improve productivity, won’t allow organizations to generate more revenue and rarely offers cost-savings, it is natural that the prioritization of security falls to the bottom. This becomes exacerbated when IT security, for the most part, is invisible; at least until a breach is discovered. Let’s face it, if the decision makers in an organization drove by the organization’s building at night and saw a would-be thief rattling the windows and jiggling the locks on the doors to see if they could get in, you can be assured that security would be increased immediately. Yet, that is precisely what goes on with organization’s IT perimeter — only it’s not at night, it’s 24×7 and it’s not just by one attacker, it’s quite literally thousands of would-be attackers any of which are not limited by geography.
The true risks of IT security need to be made visible and salient to the decision-makers of the organization.
Lack of Focus on Anything Other than “Fighting Fires”
Let’s face it, we have so many demands competing for our attention that very few of us can actually take time out to address the important but silent issues that we face. It’s so much easier to turn our attention on those fires that are burning right in front of us. The problem is that fire spreads and just as we get one of those fires put out, another lights up to take our attention away from everything else. It’s the smoldering pile of leaves in the corner that doesn’t get attention until it completely ignites and becomes a raging fire.
Most organization’s IT security is the smoldering pile of leaves in the corner; and as such, doesn’t get addressed until it’s too late.
Tune in to future posts for some practical advice on addressing each of these privacy and data security issues.