December 4, 2018 at 9:11 pm
Comments posted to this topic are about the item Lax Security is Harmful for Employment
December 5, 2018 at 1:24 am
I am not optimistic. Shadow IT presents immense risk from a data security and compliance perspective. The problem is that Shadow IT is often sanctioned by people with spending authority and that means people at reasonably senior levels. It isn't hard to end up in a situation where behaviours that put an organisation at risk are not only sanctioned, but rewarded.
The nature of Shadow IT is that its output lacks the formal support structures and practises to be self sustaining. That means that, eventually, the progenitor of a particular solution will move on or be promoted to a position where they can divest themselves of their offspring. Because their offspring is regarded as "mission critical" it rolls down hill into formal IT. Should a breach occur as a direct result of using this system then it is formal IT that will end up carrying the can.
December 5, 2018 at 6:24 am
Firing the executive is not necessarily the right thing, because of the nature of security failures. Of course negligence is one thing, but often it's a matter of the company simply being outmaneuvered or out smarted by a very clever adversary (after all the US military and intelligence agencies have been successfully hacked)
Security is a complex business. It looks like in the Marriot case, they acquired another chain. Even with due diligence (and there is a limit to how deeply you can go into another organization's system before a merger) neither organization knew about the breach until Marriot started to prepare to merge the systems. The stolen data was encrypted by the attackers and there was some time before it could even be determined what it was.
Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.
...
-- FORTRAN manual for Xerox Computers --
December 5, 2018 at 6:40 am
jay-h - Wednesday, December 5, 2018 6:24 AMFiring the executive is not necessarily the right thing, because of the nature of security failures. ...
Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.
Unfortunately for everyone, today's social climate often requires a scapegoat for everything, even when there was due diligence being performed by those responsible. My employer includes a team whose sole job is to attempt to hack into our systems to find vulnerabilities before the real bad guys do. But I also realize that probably most companies, except for the zillion dollar revenue ones, can not afford to fund such a team.
As an aside, it still amazes me that the same people who might be worried about exposed data freely post much of the same thing all over social media.
December 5, 2018 at 7:15 am
Wish I could say that I was more than pessimistic. The sad fact is that firing of a C level employee often lands the person in a higher paying position. It is a completely different world than rank and file personnel. Good security can be painful, but it should be the norm. A good start would be that someone should ask if every bit of data is really needed and if there is some substitute that would work as well. And consideration for removing data once it is no longer needed.
At some point some high level people will need to lose more than a job.
December 5, 2018 at 7:28 am
Call me cynical but I have to wonder how much of that huge cost is simply bringing security up to where it should have been in the first place (both the labor in applying patches, getting new software, and/or additional employee salaries). Should this be counted in the cost of the breach? Personally, I don't think so.
Now, lawyers fees, punitive damages, "customer recompense" (hah!), etc., yes, that absolutely should be included. But not the cost to fix the security that should have already been there.
Of course inflating the cost is likely to soften public opinion, "look how much it cost them. Bet they won't do that again"...
(need more caffeine!)
December 5, 2018 at 8:47 am
I feel a bit uncomfortable regarding who the ax falls upon: it seems to me that if a business or corporation does not sufficiently invest in security that the buck stops at the desk of the CEO or the board of directors. I prefer the latter since they really hold the purse strings and represent the investors. If it is your own business, you rolled the dice and it came up snake eyes so take your medicine.
But the crazy thing about all this is that most security issues have to do with insider activity, installing software with the default configuration values intact or failure to keep software up to date, three items that don't need a great deal of investment to address (well, software upgrades can be a pain and the down time might cost you some money but not always).
December 5, 2018 at 8:17 pm
First of all, Cow droppings are much less viscous than Horse dropping.
In fact, they are often like pancake batter, hit the pan and spread out.
And it seems that data breaches have become the norm, which is Cow Droppings.
Penalties should be levied and collected for every breach, I bet if it coast $10 a person and we actually fined and collected on the first few, everyone else will get the message, and secure their systems.
December 6, 2018 at 1:15 pm
It's hard to separate the sarcasm from truth in this Onion story. :unsure:
https://www.theonion.com/wells-fargo-computer-glitch-accidentally-forecloses-on-1830889330
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 6, 2018 at 3:34 pm
Eric M Russell - Thursday, December 6, 2018 1:15 PMIt's hard to separate the sarcasm from truth in this Onion story. :unsure:
https://www.theonion.com/wells-fargo-computer-glitch-accidentally-forecloses-on-1830889330
I heard about a different story on the news, yesterday. A similar "glitch" affected more than 700 people and caused more than 500 people to lose their homes. And some people say that what we do "isn't saving lives" when it comes to agonizing over getting things right all the time. Imagine what those poor souls went through.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 6, 2018 at 3:39 pm
Jeff Moden - Thursday, December 6, 2018 3:34 PMI heard about a different story on the news, yesterday. A similar "glitch" affected more than 700 people and cause more than 500 people to lose their homes. And some people say that what we do "isn't saving lives" when it comes to agonizing over getting things right all the time. Imagine what those poor souls went through.
Some economists have asserted that mortgage robo-signing was partially to blame for the realestate crash of 2008 and the subsequent economic recession.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 6, 2018 at 7:59 pm
Eric M Russell - Thursday, December 6, 2018 3:39 PMSome economists have asserted that mortgage robo-signing was partially to blame for the realestate crash of 2008 and the subsequent economic recession.
Heh... doesn't all of that fit what some people call "Artificial Intelligence"?
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply