Do You Have a Blinkered Approach to Cyber Security?

No-one in their right mind would drive a car with their eyes covered, taking instructions from someone in the back seat. There would be a disconnect between observation of signage, traffic lights, driving conditions, other vehicles, and the instant eye / brain / hand / foot co-ordination necessary to avoid an accident. A crash would be inevitable. 

Yet many business owners have a blinkered approach to Cyber Security. With their attention on day to day issues, or growing the business, many simply default to letting their IT Guys take control. They take their hands off the wheel, without really knowing if their IT guys fully understand Cyber Security, the business risks, or the consequences of a breach.

The IT Sales / Break-Fix Model is Broken

For many IT companies, IT is still a sales and break-fix approach, when it should be one of constant maintenance, monitoring, and protection.

Most IT teams are focused on moving data and services to the Cloud, where access and privacy are not under their direct control. These IT teams are either unaware of, or simply ignoring, the core principles of security and privacy. Protecting your data not only requires a firm understanding of those principles, but also a mind-set that is 180° away from that which currently prevails in IT.

I have spent decades conducting security assessments, providing solutions, and distilling the principles of security. Over that time, the biggest cause of breaches that I have observed, is a lack of understanding, and lack of awareness of risks, often creating confusion, that creates inertia. IT management is often seen as an expense, which is true of break-fix, but a system managed for Zero Downtime is an investment.

The Majority of Breaches are Internal

It is all too easy to blame breaches on uncontrollable outside causes such as hackers. However the actual reality, is that over 65% of breaches are internal, and relatively easy to mitigate. The other 35%, the external threats, are easier to mitigate by closely following the principles of security and privacy as it applies to the IT landscape.

As Frank Abagnale Jr states, “Hackers don’t cause breaches, people do”. Frank is the person upon whom the movie “Catch Me If You Can” was based, and who after capture and imprisonment ended up working for the FBI as a security consultant, and later as a private consultant.

Delegating responsibility to an IT team that does not understand, or possess, a security mind-set, is not the best decision. Which usually only becomes apparent after a breach occurs that could have easily been avoided.

A blinkered approach to cyber security could destroy your business

One recent incident where a small business owner had a blinkered approach to cyber security resulted in him losing everything. He had received a glowing network “health report” from his IT Company. But less than 24 hours later, his network was breached and all the data encrypted by ransomware.

Upon attempted restoration from backups, it was found that backups had been failing, and were corrupted and unreadable. No-one knew that, because the backups were not managed or monitored. Of major concern to the owner, was the valuable Intellectual Property from many years of research and development.

The owner was faced with finding $100,000 he didn’t have, to pay the ransom in bitcoin, with a less than 20% chance he would get his data back. Rather than go heavily into debt on a gamble, he didn’t pay. Losing the data was painful, but doubly painful was the knowledge that his valuable Intellectual Property was now probably being sold on the dark web.

The negligence on the part of his IT Company, who also had a blinkered approach to cyber security, destroyed his business. An IT company’s lack of awareness of the failed backups was bad enough, but insult was added to injury when it was discovered that general sloppiness on the part of the IT Company had created the security breach in the first place.

Had the data backups been treated with importance and properly managed and monitored, or if the IT company not taken convenient but insecure shortcuts, this disaster could have been avoided. Sadly, this story is an everyday occurrence.

Never Assume a Security Breach Will Never Happen

Many business owners also make the assumption that because a security breach or data loss hasn’t happened yet, that they must be secure, so it will never happen. And they assume their IT team are up to the task of securing the systems, because they work in IT. But if that team don’t have sufficient clarity and understanding to get the basics right, what chance have they got of understanding robust security principles, and the right mind-sets to handle complex security matters?

Which brings me to the Microsoft 10 Immutable Laws of Security Administration:

Law #1: Nobody believes anything bad can happen to them, until it does.

Law #7: The most secure network is a well-administered one.

If your computer network is being not being continually maintained, monitored, and managed, it is not well-administered.

Do you have a blinkered approach to Cyber Security? Are you 100% certain that you have done everything you can to protect your business? Or do you have doubts?

Let us help you understand the risks and available solutions. Contact us on 03 351 4100 to book an appointment or start a conversation.