When you take a course in school or work and you get 100% on the test, it’s a great feeling. Perfection! How smart are you! When you get 100% on every test, every time, you have truly mastered the subject and are clearly an expert. It’s something you might even want to boast about to your friends; what an accomplishment!
But what if the scenario was turned 180 degrees and you received a 0% on every test. Your feelings are completely opposite. You are discouraged, frustrated, even embarrassed. Your confidence is shot and you certainly don’t want to be bragging about it to your friends.
This is the scenario we see in cyber security. When we deploy our cyber security solution for a new client, we have a very methodical process for the implementation and configuration of the solution based on the clients’ needs. Part of the process includes continually capturing real-time data and then reporting those findings on a monthly basis. We review these security reports with our clients so they can see and understand what is actually happening in their company.
Every company fails security 100% of the time!
What we have found interesting is that we find an issue or issues that need immediate remediation 100% of the time. Think about that for a minute. Every single time for every single client they fail. This is not something the company wants to deal with, it is very frightening to them, and they certainly do not want to boast about it to others.
Often times we have already remediated issues in real-time as we are monitoring their security, but many times it takes working with the company management to determine what they want to do. As an example, if we find a company computer suddenly is trying to broadcast malicious content out through the company’s internet connection, we will be immediately notified, shut-down and ‘clean’ the identified computer. We certainly do not want to wait until the end of the month to address the issue.
Other issues are more dependent on what the company management team wants to do. During our initial monthly review of the report, there are often issues related to how employees are using company systems. For example, employees are accessing inappropriate websites, usage of social media sites such as YouTube, Facebook and Pandora are excessive and saturating internet bandwidth. We also see attempts to access the company network from other countries, such as China, Romania, North Korea, etc. In these cases, the company management almost always is shocked and says “We don’t do business with those countries! Why are they trying to access our information!?”.
This is an example where we need to have a discussion with management to confirm what is legitimate and what is not. Using our service, we can block websites and countries permanently and selectively, or the company may want to write and issue an Information Security Policy that states what the company policies are for appropriate use. In the latter case, the issue is handled through policy and not technology.
You can’t address what you can’t see
In all these cases, the primary issue is that companies without proper security in place are in a state of being blissfully ignorant. They do not see anything going on so they assume everything is good. Once we shine a light on security, their eyes are wide open because they can now see what is actually happening. Having the information allows us, working with the company, to address and remediate issues.
The larger implication is companies without proper security are playing with fire. While some issues are not extremely damaging, it is only a matter of time when a malicious event becomes a major security incident the company must respond to. Imagine you are a health provider, law firm or any company (since every company has sensitive and private information) and find you have a breach and private information has been leaking out of the company. The status just went from green to red, requiring significant and immediate effort from many different people – the incident response plan.
The point is, in today’s world, it is better to know and have a planned response than to continue to be in the dark. We know 100% of companies we work with will have issues to address, we also know most companies continue to operate in the dark believing it won’t happen to them. As scary and uncomfortable as it may be, I would certainly rather operate from a position of knowing rather than taking the chance and hoping nothing will happen. After all, we know from actual data, ‘nothing will happen’ actually never happens.