Here’s a little comment that I must come across every single week in my day-to-day endeavours, which always raises a little smile (if only to myself). Presumably it’s a justification for not investing in good Information Assurance, for not having the courage to give the business a real wake-up call, or perhaps an inadvertent admission of the person’s lack of understanding of the risk the business carries. Irrespective, it is clearly misguided and perhaps people really need to think about it a little more. If nothing else, it is probably a poor metaphor given the current climate…..
This perhaps suggests that banks and businesses in the finance sector need to have better security than others. Really? Let’s just think about this for a minute. If my bank has my financial details compromised , what is the worst that can happen? A real inconvenience short-term, they sort out the mess, I get my money back – sooner or later. Now lets apply this thought to say, a local council. If my personal details are compromised, I’d be rather more concerned because councils have much more “interesting” information. Like details of my mad uncle who runs around the local green swinging his trousers round his head shouting at the top of his voice – or like details of my delinquent 16 year old, who is under social services for sniffing glue outside the local shops. Clearly I have neither of these (or at least my kids aren’t that old yet!), however the point remains the same – there is (depending on your point of view) far more valuable information out there than the ability to siphon off a few pounds from someone’s bank account/credit card.
Taking this into the corporate arena, how many companies take the time to vet and check how robust their trading partners are in terms of Information Assurance? Take the legal sector as an example – they will hold a wealth of information on companies (M&A information, tax avoidance, etc.). Ask any Head of IT in Legal (off the record!) if they truly have adequate policies, procedures, and controls and I am certain that very few would agree that they have the buy-in from partners to mitigate risk to “acceptable” levels. I’m not going to pick on poor Legal CIOs though – after all, they generally have a plethora of mini-MDs (aka equity partners) to appease (or at least help maintain their bonuses!)
Extending the consideration to other sectors, the one with the worst under-investment is (IMHO) the manufacturing industry. A recent visit to a specialist manufacturer highlighted the fact that despite the cries of “We’re not a bank” (along with “Why would anyone target us?”), manufacturing industries are also a high-risk sector.
During the course of conversation, I was told how they had been approached by the security services because there was very strong evidence that they were being targeted by China. Far from being a “WMD” type gaffe, this was a real and genuine threat – later proven when they found that a recent hire in America was in fact a Chinese sleeper cell, who had been tracked by the CIA and found in possession of highly sensitive documents from his previous employer – despite being American born! This type of threat has been subsequently confirmed by a Information Security Vendor that has extensive data on threats originating from China.
So, the next time you are in a meeting with one of my peers (or hopefully me! 😉 ), just pause before uttering those immortal words “we’re not a bank” and think what the true value of you’re organisation’s data might be. After all, you generally get the money back from a bank – whereas once the Intellectual Property has leaked, its out there.
Now, time to tell my uncle to put his trousers back on……..