"IT manager fired after HAFNIUM hack"
The headline above this article could just be found in a newspaper or trade magazine. But to my knowledge, no IT managers have (yet) been fired as a result of the recent HAFNIUM incident. Still, I think this headline is appropriate. We were "shocked" and there was panic. In these situations, it is not unthinkable that IT managers and CIOs are blamed for a burglary or data breach. Sometimes rightly so, often not.
Recent vulnerabilities in Microsoft Exchange servers have sparked the usual reflexes in business: panic, ad-hoc actions and a lot of demand on resources in the company that are already busy anyway. You may wonder why, because incidents like this have become "business as usual". And the only way to arm yourself against it is to involve the entire business in the IT security policy. An expensive alarm on your house is pointless if you don't tell the kids to lock the door.
Security as a black box
The fact that IT managers and CIOs are often blamed for these vulnerabilities is a result of the too narrow view of the boardroom when it comes to IT security and data integrity. There, information security is often seen as a black box - an inscrutable box of tricks that, as long as enough money is deposited in it, is sufficient to keep the bad guys out. And if something does go wrong, everyone looks to the CIO.
However, safeguarding data integrity can and should never be the task of one business unit. Its importance must be widely recognized and everyone within the organization must know and take responsibility.
How much security will suffice?
Unfortunately, a lack of knowledge stands in the way of this awareness. How do you recognize this? For example, by the well-known questions "How much should I spend on IT security?" Or "How much security do I need?" These are questions that offer a nice way to explain data security - and demonstrate the importance of an integrated approach.
See your organization as a house. How much security does that house need? That depends on the location of the house, the type of house, the household goods and the chance of burglary. What are the crown jewels? That's not that expensive LCD TV, as it is replaceable. But does that also apply to the work of art on the wall or the heirloom with no financial but great emotional value?
See your organization as a house. How much security does that house need? That depends on the location of the house, the type of house, the household goods and the chance of burglary.
Lock with access code
Only when you know what your treasures are, you can make choices for their security. A lock alone is no longer sufficient, you will also have to install an access code. Nevertheless, we always have to take into account that, despite this basic security, someone sometimes slips in. So we have to look further. We can secure the artwork with a steel cage, but this will mar the interior. A concealed fog system that confuses the burglar could be an option. A camera system that registers in which rooms the burglar is snooping could also be far from a superfluous luxury.
Then we need to remember that children also live in the house. They sometimes lose their keys or forget to lock the door. Would a burglary be the fault of the security company? Even with the most advanced security systems, we must continuously make our fellow residents aware of their own responsibility. In this way, data security also remains an interplay between technology, processes and people, in which the business units have different interests.
We need to remember that childer also live in the house. They sometimes lose their keys or forget to lock the door. Would a burglary be the fault of the security company?
We can never completely rule out that someone intrudes. We can be prepared, raise barriers, minimize the time burglars are inside and limit the damage. With strict measures and alert residents, we keep that work of art where it belongs: at home on the wall.