It happens almost every day. Small to Medium sized Business’s (SMB) discover breaches and besides paying for remediation and notification to their clients, they also start improving their security. Why is it that many times investing in security happens AFTER a breach ?
Studies have shown that a good percentage of these organizations can go out of business within six months of a breach. The sad part of these stories is that if companies would just invest some capital in their cyber security, they could have possibly prevented and saved hundreds of thousands from an incident.
Many of the breached organizations have included hospitals, medical offices, manufacturing and financial companies which seem to be a target for attacks such as Ransomware, data exfiltration and garner a lot of press these days.
When I visit managers and owners of SMBs to outline our cyber security and risk services, there is a common theme that I have been hearing for the longest time. They explain that they are so small and don’t have any data that is worth stealing, so hackers will not target them. WRONG !! Many also tell me that they “think” they are secure but their IT staff would know better since they are in charge of security. And here (in many cases) is where the disconnect of what the IT staff think they are responsible for, and what management assumes they are responsible for lies.
I usually will give them the following example to explain that if their IT staff isn’t specifically trained in Cyber Security, they shouldn’t be counting on them to implement more than basic technical system security.
A person is diagnosed with a brain tumor. There are given a choice of two doctors they can take on to eradicate the tumor.
- General Practitioner
- Brain Surgeon.
They are both doctors but only one of them is trained to work on the brain. No one in their right mind (no pun intended) is going to let the GP take their case, they are of course going to go with the specialized brain surgeon.
The same goes with security. There is a reason people are schooled and certified specifically in Information/Cyber Security, it is because they have been trained to look at People, Process and Technology in a different way than technicians. I wouldn’t have a non-technical security person run my server farm, so why would an organization take a technician and make them responsible for more than basic security.
Furthermore, if you ask the technician if they are taking care of security, many I have spoken to tell me they are but only up to the point of settings in the operating system and/or applications. We can now see how management and the technology staff may be seeing their overall security responsibilities differently.
Now the unthinkable happens. The organization is breached and management goes to the technology department asking how this could have happened on their watch. The technology department explains that they only performed cursory security on the systems. At this point there is no advantage of pointing fingers, just mitigate/remediate the exposure and then review what has happened. After the incident and after any fines or monitoring costs are paid, the organization starts a project to increase their security.
I can’t emphasize enough that it pays to invest in cyber security protection/services BEFORE you are hit with an incident such as ransomware or a breach and hopefully my outline above gives you a little more of an appreciation for this.