One Word: Discipline.
What most offices lack when they experience a data breach or cyberattack is a lack of discipline guiding and enforcing their security standards.
Let me give you two quick stories of where a lack of discipline hurt offices and end with one concrete example of how discipline helps save lives.
Example 1: Backups are On, but Not Working!
One of the most common things I find when auditing a prospective client is that the entire office thinks that their backups are working. Their IT guys tell them that they are getting backups and the majority their IT guys for their word (not that all IT guys are trustworthy, unfortunately).
One recent example involved a dental office that assured us all their backups were running well. They paid ‘good money’ for their IT Support to back up their systems. And their IT contact repeatedly told them everything was working and that their backups were running.
When I came in, I noticed that the office didn’t have a good backup for over a month!
And even worse, the office had a server fail within that month and couldn’t recover the lost data!
What the IT guy meant by “backups were working”?
I’ve found that it’s all too common to have IT Support teams assure their clients that backups are working because some automated script is running weekly to retrieve the backups. The problem is that 65% of the time, those backups aren’t actually getting made.
What the majority of IT guys do is simply run their script and call it a day. But if industry experts know that 65% of backups don’t work for one reason or another, why are they satisfied with simply running a script?
The problem with most IT guys is they lack discipline to follow a consistent process day in and day out. Maybe they are over confident in their script (in the case of backups). Maybe they are over confident that everyone on the team is completely competent of thinking to go through all the necessary steps.
But the problem with this is we are all human.
For backups, we have a process with a check list for running the backup and a coupled process that holds our team members accountable to checking that backups were created and that recovery to a backup will work in case an office needs to use the backup.
Most IT companies click a button and make assumptions that everything is working. The problem with this approach is there will eventually be a problem and without completely following through on a air-tight process, your office may be risking data loss. If your IT guy simply tells you that backups are working, but has no way of proving they are, he’s likely miscommunicating that backups are running, but has no idea whether you’ll be able to restore from one.
Example 2: Your Networks Are Protected
For this story, I am not using an example from one of my clients directly just to emphasize how undisciplined IT Security can lead to complete disaster.
I’m sure you remember the Equifax data breach that was announced in September of 2017? The one where nearly half of US citizens may have gotten their sensitive data leaked (and possibly stolen) from one of the nation’s trusted credit bureaus?
Well a sister company of Equifax—one based in Argentina—risked a similar breach on its hands simply because of lack of discipline.
Equifax Argentina had an administrative password—one that would give nearly carte blanche access to the network and sensitive credit data—set to ‘admin’. Who would ever think of using ‘admin’ as the admin password on a network?
Apparently, the folks accountable to IT Security did not check their network credentials to subscribe to a security standard (lack of discipline!) or they failed to have password policies in place to enforce a strong password policy (also lack of discipline!).
While the cyber sleuths that found the discrepancy on the Equifax Argentina network had no malicious intent, a criminal could have more than likely been able to break through a weak password and have access to millions of personal records.
I must say that weak admin passwords are one common red flag that I find when running audits. Over the last 20 years, I’ve grown more and more convinced that it’s not that the IT guy or IT Support team doesn’t care to protect your network, it’s that he (or they) lack the discipline to follow a regimented routine process to enforce strong password policies throughout an organization (including the admins!).
You Need Lifesaving Discipline
I’m going to give you an example from my personal life here. I am a pilot. I love to fly little planes around. See parts of America from the air.
The first thing I learned was critical with flying a plane—before turning the engine on—is to follow a checklist. I check every surface of the plane to make sure that, to the best of my ability, have identified every possible defect that could prevent us from successfully flying to our destination. I check the gas to make sure there is no water and to ensure we have enough fuel to make the trip (and an extra hour’s worth in case we cannot land at a particular airport for some reason). I check the weather to make sure the winds are within the capabilities of the plane. There simply is a lot to check out before flight. And during flight as well (let me assure you, my passengers know about how obsessive I am about making sure everything on the checklist is complete!).
I, like all good pilots, use these check lists to keep my passengers safe, keep myself safe, and fulfill our mission of getting to a pancake breakfast, going on a small trip or flying to one of my offices. I want to anticipate the unexpected because you never know if something were to happen. I have checklists for just about any situation and have walked through with my instructors on how to safely land in case of a variety of emergency situations.
As a pilot, I’ve appreciated the discipline it takes to follow checklists. I must admit, it’s so very tempted to take off without running up the engine to make sure everything is working right and it’s tempting to by-pass a pre-flight inspection since I flew the plane a few days ago and everything was fine. What pilots know is they cannot take any chances with their lives or their passengers.
IT Support guys shouldn’t take any chances either!
IT Security, especially when it comes to keeping your office safe—is about implementing disciplined IT. Disciplined IT that don’t just tell you that they’re doing something. Disciplined IT is someone who checks every box on their checklist and is held accountable for doing so. Disciplined IT is having processes in place for backups, passwords (and checking strength of passwords), monitoring your network, patching and maintaining your machines. Every single thing in Information Security can be easily disseminated down into disciplined process.
All your IT Support really needs to do is follow checklists that have been optimized to ensure problems and errors aren’t common.
Are you sure your IT Support is disciplined enough to keep your business safe from cyberattacks or from Mother Nature? Contact us TODAY for a FREE network assessment (this includes a detailed road map of how to fix any problems!).