[BreachExchange] IT’s adult day care dilemma

Destry Winant destry at riskbasedsecurity.com
Tue May 8 19:38:49 EDT 2018


You may not have ever thought of it this way but your role in IT is
not unlike managing an adult day care. Your network users can be your
worst enemy, especially when it comes to security. It’s merely a
matter of time before someone makes an unwise decision to place
sensitive information at risk or otherwise impact your network.

Curious, malicious or otherwise careless users can create all sorts of
information security-related issues in your business including:

· Malware infections that can install keylogging software, or worse,
ransomware on your computers or allow your systems to be accessed and
controlled by outsiders looking to attack others

· Exposed intellectual property which can negate the time, money and
effort you’ve put into the legal side of protecting your business

· Compromised personally-identifiable information that can lead to
compliance violations and subsequent legal problems

· Accessing illicit web sites that can create HR-related challenges
such as sexual harassment that you might not be ready to take on

Your entire computer environment is literally one click or one
careless choice away from compromise. It’s not unlike managing an
adult day care and I don’t envy you for it, whatsoever! Still you
can’t write this off as management’s problem. Or simply an unsolvable
IT problem. It’s not. It’s a fundamental business challenge that needs
to be addressed at levels above which it’s created.

One of the most dangerous things in doing business today is when
executives pretend that IT-related issues don’t affect their business.
They do. They affect every business. Information risks can be tied
directly to your business’ bottom line. Blindly trusting employees and
assuming that you have nothing of value on your network that the bad
guys would want is not enough.

Even if overseeing all of this proves too much for yourself or others
in your business, it still must be addressed. Here are four steps you
can get started with, right now, to keep your computer systems in

1. Determine what information is where. Critical systems and sensitive
information are everywhere across your network including on mobile
devices and out in the cloud.

2. Understand how unprotected systems and information and your
employees’ choices are putting your business at risk .

3. Do something to minimize your risks with technology, like
documented policies and employee training that underscores why
sensitive information need to be protected along with technical
controls to keep it all in check.

4. Continually test your systems for new or previously-undiscovered
weaknesses. Refine and repeat this process over time.

Know that that your network is as simple now as it’ll ever be. As your
business grows, IT and security are only going to become more complex.
Network complexity breeds more uncertainty which translates into
unnecessary risks you don’t need to have. And you may not be prepared
to take them on. Make the decision today to set your users and your
business up for success by giving security the attention it deserves.
Set the expectations of your users. Tell them and show them how bad
security choices impact the business. Better yet, vow to do what it
takes to remove the power away from your users when it comes to making
security decisions. Too many people can and will make their own
security choices if they’re allowed to. You need to be the one in
control, not them.

More information about the BreachExchange mailing list