The ostrich theory of security

Image: Stockfresh



Read More:

29 May 2015 | 0

BillyBlogWhat’s the difference between genuinely helping someone with a problem and exploiting their fears to extract cash out of them? I find myself asking this question whenever there’s a big splash in the headlines around a subject like computer security, for instance. Every time there’s a story about a data breach or loss at a large organisation, it’s usually only a matter of hours (possibly even minutes) before the comments and press releases start arriving explaining what measures companies can take to ensure they don’t suffer the same fate.

At one level, this can be seen as helpful advice, especially if many organisations are unaware of the nature of the threats they face and how to mitigate them. On another level, however, it’s fair to say that many IT companies view it as an opportunity to sell security solutions to businesses. You say ‘advice’, I say ‘opportunity’ – the end result is the same.

Well, yes and no. It’s all about the context. While it can be helpful to concentrate the minds of customers on security by highlighting the largest and potentially most damaging security breaches, it can also present them with a distorted view of the nature of the threat that faces them. Making well-informed decisions after careful consideration of the issues and the suitability of a particular solution is one thing. But rushing to address a problem from a position of fear or near panic is another.

The fact is it’s virtually impossible to achieve 100% security. We know this from our daily lives. Yes, we could take every conceivable measure to make our homes impregnable to burglary but the cost of doing so, for those of us who aren’t millionaires or oligarchs, would probably be more than the value of the items we’re trying to protect. Instead, many of us make the calculation that it’s probably sufficient to make the task of robbing our homes inconvenient enough to a burglar that it’s not worth his or her time, effort and risk to attempt it.

The same should apply to business. There’s a level of security that they can achieve that is viable to the business and then there’s the security nirvana that would protect everything from anything except the company going bust because it has spent too much on security.

Policy matters
This is worth bearing in mind in relation to a recent story on concerning research from law firm A&L Goodbody, carried out by Red C, which found only 27% of 200 companies surveyed were fully prepared to deal with a cyberattack. The survey found nearly two thirds (65%) had no written cybersecurity policies, 59% had not provided training to employees on what to do in the event of an attack, and nearly half (49%) had not allocated responsibility for response to any one employee or team.

Now, no one can say any of those measures are luxuries rather than essentials when it comes to IT security. It’s a genuine cause for concern that so few companies have even the most basic cybersecurity measures in place. Commenting on the results, John Whelan, partner and head of international technology practice at A&L Goodbody, said: “Businesses are exposed to increasing risk to their reputation and their bottom line. Boards and senior management must have policies in place to protect their business should a cyber incident occur. An important part of this is ensuring that the basic legal requirements are met, and the survey shows that while many businesses are aware of their exposure they are not fully prepared for it.”

So there’s definitely a role for channel partners and IT providers to go out and help make those organisations aware of what they should be doing to try and deal with a cyberattack. But it would also be helpful if this was done in a measured way. For example, the legal obligations are potentially frightening but as Whelan points out: “The legal obligations on companies and their directors in relation to cybersecurity have only emerged relatively recently.”

As a consequence, it’s probably not the best strategy to go in all guns blazing with hair-raising scare stories about a company’s legal liability in these circumstances, especially when, as Whelan says, “there are quite a number of obligations coming down the tracks under data protection legislation, companies legislation and other areas of law, and we’re only now starting to get decisions from the courts”.

In other words, the lack of awareness of legal obligations is not really the fault of companies when “they are relatively new and in a state of change”. What channel partners need to be doing is giving companies a measured and considered view of what they need to have in place to meet their obligations now. At the same time, they need to reassure customers that whatever they require in the future can be met without completely paralysing the operation to the point where, rather like a battleship top-heavy with defensive weaponry, it sinks before it ever faces an attack.

Read More:

Leave a Reply

Back to Top ↑