Nine Cyber Security questions to check whether your company is clueless and doomed

by Peter Rietveld.

Security is difficult stuff – high tech by whiz kids that outsmart the best defenses. You may feel that nothing can stop that – that is what the press says, right? They are wrong. High tech attacks do happen, but not too often since in reality very simple attacks work just as well, due to the cluelessness of most organizations not covering basics. It will be a simple attack that brings down your company. Even if the direct damage is limited, the press will jump on it destroying your customers’ trust and eventually the company. Or some regulatory power comes jumping in with a major fine for non-compliance. Especially since that very basic attack could have been easily defeated.

Don’t think your company will never be a target, since you are in something trivial to criminals, say like home improvement. Well, that is what the people from Home Depot must have thought until they were owned last September, owned big time. Target, breached last year, lost 14% in stock value and 46% of its profits in Q42013 due to the impact in customer and stock market sentiment. Fixing the damage set Target back for another whopping $146 million. Home Depot is still crunching the numbers but it doesn’t look good.

It may be your employer that folds at the next major security incident.  Or maybe they’ll just have to downsize which may not affect you as you are indispensable and extremely talented and your manager knows that and protects you. But then again they may downsize that manager and that leaves you with exactly nothing. So think again and stop dreaming. Now is the time to act. Ask your security office these nine questions: it may take you half an hour but it may save your house and your savings. Remember, you are a stakeholder too.

To help you prepare I set up a list to verify your employer’s security posture. If more than two of the key indicators listed below score a YES, devise a plan B which boils down to finding another place to work and sell any stock in your company that you have. Just in case, you know. If the score is over five, forget plan A and start executing plan B. And presto! Mortgage installments secured!

  1. When you report finding sensitive company information on the internet and the Security Officer tells you that ‘the internet’ is not in scope.
  2. When the company decides to outsource security as it is too complex to manage.
  3. When the company expects to improve security in a Security Awareness program that basically educates users not ‘to click on all attachments, unless it is from a reliable source’.
  4. When management leaves managing security to the IT people since it has to do with computers.
  5. When the Security department is researching whether to allow BYOD and adopting ‘the Cloud’.
  6. When the security policy does not mention secure disposing of printers.
  7. When InfoSec budgets are frozen because you’ve reached compliant status.
  8. When the legal department is set to veto decisions in an intrusion response plan.
  9. When the company assumes that since they’ve hired the best security specialist, they are secure.

Of course these are not the only relevant questions. But they illustrate the most dangerous fallacies around.