IT security has become a major concern for most organizations. Previously confined to the server room, high profile breaches and their hugely expensive consequences have catapulted these concerns into the boardroom. No one wants to see their name in headlines alongside Home Depot, Target, and Sony. The average cost of a data breach is estimated at $3.8 million dollars and it keeps climbing.
Why does this keep happening? Are you next? Will your company survive or go down in flames?
Here are three reasons you better get your firefighting gear on:
- You think IT Security is a TECHNICAL problem
IT Security is and always will be a PEOPLE problem. End users are the first line of defense and your greatest asset in preventing a data breach. Unfortunately they are also a vector by which hackers gain access to your network.
According to the 2015 Verizon Data Breach Investigations Report, 23% of recipients open phishing emails and 11% click on the attachments. The average time from receiving the email to clicking on it is under two minutes. That’s not enough time for your IT staff to identify and respond, let alone to warn users not to click on the message.
As if that wasn’t bad enough, Cisco conducted a survey a few years back that revealed that 70% of employees intentionally broke IT policies. Reasons for doing so included lack of enforcement, inconvenience of following the rules, or brazen indifference to the policies. If seven out of ten employees were leaving the front door unlocked when they went home for the day you’d probably do something about it, right?
Not training and engaging your end users as partners in security is a glaring error. If employees either don’t know or intentionally break policies, it’s a big problem. Managers who abdicate responsibility for this and assume that a technological solution for security will be a panacea are dangerously naive. You need common sense policies and procedures and a platform for delivering them.
- You don’t have a patching plan
Automatic updates are great for home computers, but the data that’s on your corporate network is far more valuable and needs better protection. If you don’t have a patching plan you have a problem. That same Verizon report that mentioned how users will click on anything had another wake up call in it:
That’s a pretty scary statistic. If a CVE (Common Vulnerabilities and Exposures) has been around for a year or more, that either means the company you’re buying software from doesn’t care about you as a customer enough to patch it, or your IT staff isn’t competent and organized enough to keep systems updated.
If your car had a recall on it for a year and you ignored that only to end up totaling it, you’d feel pretty dumb, right? What about if your mechanic knew about it but didn’t do anything? Why aren’t you as concerned about your corporate network as you would be with your car?
- Your Network is on Life Support
Computers and network hardware aren’t cheap. That’s why you’ve tried to squeeze every dollar out of the IT budget. Your IT staff told you about life cycle management but the hell with that: if it ain’t broke, don’t fix it. Right?
WRONG. If you aren’t regularly assessing your equipment to ensure it hasn’t reached its “End of Life” (EOL) state, you are in serious trouble. Once you reach that point you’re now exposed to every vulnerability that comes along since the vendor no longer supports your equipment. This wasn’t something that snuck up on your company either. Most vendors announce EOL timelines years in advance. You may have saved a few dollars but if you run into trouble you’ve created a much more expensive problem.
Not only is EOL hardware going to expose you to potential data breaches, but when it inevitably fails you won’t be able to get spare parts (or any other support). Now, what could have been a brief outage is a much longer and more expensive affair when you’re panicking to buy and implement new equipment without a chance to assess what’s out there. Forget about shopping around – now you need to pay for overnight shipping! Good thing you saved that money last year, right?
IT Security doesn’t have to be this painful. An injection of common sense and strong governance can make all the difference in reducing your risk exposure. If you’re not sure where to get started or how to have a conversation about fixing your IT problems, maybe it’s time to get some help?