It’s been many years since I was actively working in the trenches as an IT administrator but I remember that one of the common issues I had to deal with was user apathy about security. Users assumed that security was somebody else’s problem. They took shortcuts and sometimes intentionally circumvented security tools and policies for their own convenience under the misguided assumption that security wasn’t their concern.
The problem with that logic is that when poor security practices at any level result in a data breach that affects the company there is a cascade effect. The negative impact on the company as-a-whole can ultimately lead to layoffs that cost you your job.
I wrote this blog post about why security is everyone’s concern:
For those who work in information security it’s hard to imagine not viewing the world through that lens. The fact of the matter, though, is that the vast majority of users don’t really give security a second thought. Unfortunately, that cavalier attitude could affect the company and possibly even cost those people their jobs.
Many workers are just there to do their jobs. They assume that IT and information security issues will be handled by someone else and that it’s outside of their scope of responsibility. Many people also assume that their role is too menial to be a viable target for attackers so they don’t need to be concerned. Both of these assumptions are false.
Users need to be made aware of the broader trickle-down effect that a cyber attack has on the company as a whole. The harsh reality is that an attack ripples through the company. Attacks that are somebody else’s fault and occur in an entirely separate part of the company can still result in cutbacks or layoffs that impact the whole company.
Falling Like Dominoes
Most attacks are attacks of convenience. The attackers don’t know or care what your individual role in the company is really. Attacks are often automated to find gullible users or seek out vulnerable machines, and any successful compromise is enough to get the attacker through the proverbial “front door” and into the network.
Once an attacker has a foothold in the network it is much easier to do reconnaissance and move laterally within the network to seek out and compromise other vulnerable PCs. A successful phishing attack against an intern working in the mailroom can eventually lead to a massive breach of employee and customer data or a loss of significant intellectual property.
No matter where it starts a successful attack has a domino effect that spreads throughout the company. First you have the direct impact of any money or data lost. Next is the cost of remediation. The company has to dedicate resources and possibly hire outside expertise to investigate the attack, determine the scope of damage, and do incident response to clean up the mess and restore the security of the network and PCs. Finally, there’s the tarnished reputation when the shareholders or customers learn about the attack resulting in lost sales and declining stock value.
You can read the full post on the RSA Conference blog: Practice Security Like Your Job Depends On It (Because It Does).
- Julie Smith Shares Identity Security Guidance for 2023 - January 19, 2023
- Mark Thomas Talks about Threat Hunting - January 5, 2023
- Malcom Harkins Talks about Ethical and Legal Obligations of the CISO - October 20, 2022