Information Security: What Small Businesses Don’t Know Will Hurt
Personally and professionally, we were not prepared for the growth of the Internet and the resulting information security needs. For the vast majority of us, we still aren’t. We’re human beings using advanced digital communication systems, and as users of these systems, we are defined by behaviours. This is the single reason why organizations are failing; from small shops with two systems that make up their IT department through to enormous enterprises.
Our behaviours towards information security remains stagnant.
We are all familiar with the big stories of the day;
- Privacy breaches;
- Systems compromised; and
- Inadequate security controls within organizations whose core business revolves around collecting and storing our personal data.
As we’ve been thrown into this unknown world, we’re already behind in understanding the significance of how these threats affects us all. It’s far more than just the inconvenience of having our email addresses leaked or our usernames and passwords exposed. It’s what’s occurring behind the scenes with this information. This is where and why malicious individuals are always ahead. They know what the value of our systems and data are worth and they profit off of our behaviours towards our systems and data.
These behaviours have left us ignoring fundamental concepts.
Fundamental concepts are easy. Let’s look at a simple example; you lock the doors to your house because you want to protect your persons and belongings. This simple concept translates into the business world, where belongings are classified as assets. You lock the front door to your office because you want to protect your assets.
These assets include:
- Intellectual property;
- Confidential company data; and
- Clients’ personal financial and health information.
We move these concepts into the digital era. Firewalls have become our doors and anti-malware solutions have become our alarm systems. The list is enormous with Vendors offering hardware and software solutions for just about any issue one could think of.
While some of these solutions serve a valid purpose, the one constant throughout the growth of the Internet is us and our behaviours.
Let’s look at some of the current threats, from Drupal’s SQL issue, the SSL v3 vulnerability and the highly publicized Heartbleed, it’s certain that our behaviour created these. Rushing through the software development lifecycle where security has a very high percentage of being neglected until last minute, if at all. Not patching systems or properly responding to threat notifications.
Vulnerabilities and risks throughout the systems do not happen by themselves, nor do malicious individuals accidentally retrieve our personal information.
We have to stop looking at our failures as a way to shift blame onto someone. This is another behaviour; we don’t blame something, such as a firewall or a software application, we blame someone. With Brand names in jeopardy and as the blame to point the finger rises the corporate ladder, now is the time to look at these failures as a great opportunity for improving our behaviours towards information security. It’s not to say all bad things that happen are intentional. However, negligence and ‘I didn’t know’ are inadequate responses for cyber breaches. Ownership falls on the responsibility of the business.
There’s a current theme for professionals working in the information security realm; you pay for security now or you pay for it later. When you’re a multi-billion dollar a year enterprise, you can absorb cyber breaches. Still, when you’re financially responsible for distributing out in the hundreds of millions in costs because of a breach, is this not enough to change our behaviour towards information security?
So how do we change our behaviour towards information security? How about we start with setting expectations? We reward personnel for meeting sales targets and praise them for client satisfaction. How about we reward them for not clicking on a phishing email by reporting it to the IT person in charge? Or we reward them for not spending a copious amount of hours on social media sites in the workplace, although our acceptable use policy states ‘reasonable amount of time’?
It’s about bringing security to the forefront in your workplace. Discuss it, reward it and it will become a workplace behaviour. This is a behaviour worth expecting.
Want to learn more about how this impacts your marketing efforts? Click here to connect with TaylorMade Solutions.