Lax Security is Harmful for Employment

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 717408

    Comments posted to this topic are about the item Lax Security is Harmful for Employment

  • David.Poole

    SSC Guru

    Points: 75285

    I am not optimistic.  Shadow IT presents immense risk from a data security and compliance perspective.  The problem is that Shadow IT is often sanctioned by people with spending authority and that means people at reasonably senior levels.  It isn't hard to end up in a situation where behaviours that put an organisation at risk are not only sanctioned, but rewarded.

    The nature of Shadow IT is that its output lacks the formal support structures and practises to be self sustaining.  That means that, eventually, the progenitor of a particular solution will move on or be promoted to a position where they can divest themselves of their offspring.  Because their offspring is regarded as "mission critical" it rolls down hill into formal IT.  Should a breach occur as a direct result of using this system then it is formal IT that will end up carrying the can.

  • jay-h

    SSCoach

    Points: 18816

    Firing the executive is not necessarily the right thing, because of the nature of security failures. Of course negligence is one thing, but often it's a matter of the company simply being outmaneuvered or out smarted by a very clever adversary (after all the US military and intelligence agencies have been successfully hacked)

    Security is a complex business. It looks like in the Marriot case, they acquired another chain. Even with due diligence (and there is a limit to how deeply you can go into another organization's system before a merger) neither organization knew about the breach until Marriot started to prepare to merge the systems. The stolen data was encrypted by the attackers and there was some time before it could even be determined what it was.

    Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Bob Razumich

    SSCrazy

    Points: 2019

    jay-h - Wednesday, December 5, 2018 6:24 AM

    Firing the executive is not necessarily the right thing, because of the nature of security failures. ...
    Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.

    Unfortunately for everyone, today's social climate often requires a scapegoat for everything, even when there was due diligence being performed by those responsible. My employer includes a team whose sole job is to attempt to hack into our systems to find vulnerabilities before the real bad guys do. But I also realize that probably most companies, except for the zillion dollar revenue ones, can not afford to fund such a team. 

    As an aside, it still amazes me that the same people who might be worried about exposed data freely post much of the same thing all over social media.

  • kiwood

    Ten Centuries

    Points: 1070

    Wish I could say that I was more than pessimistic. The sad fact is that firing of a C level employee often lands the person in a higher paying position. It is a completely different world than rank and file personnel. Good security can be painful, but it should be the norm. A good start would be that someone should ask if every bit of data is really needed and if there is some substitute that would work as well. And consideration for removing data once it is no longer needed.

    At some point some high level people will need to lose more than a job.

  • roger.plowman

    SSChampion

    Points: 10196

    Call me cynical but I have to wonder how much of that huge cost is simply bringing security up to where it should have been in the first place (both the labor in applying patches, getting new software, and/or additional employee salaries). Should this be counted in the cost of the breach? Personally, I don't think so.

    Now, lawyers fees, punitive damages, "customer recompense" (hah!), etc., yes, that absolutely should be included. But not the cost to fix the security that should have already been there.

    Of course inflating the cost is likely to soften public opinion, "look how much it cost them. Bet they won't do that again"...

    (need more caffeine!)

  • j_e_o

    SSC Eights!

    Points: 959

    I feel a bit uncomfortable regarding who the ax falls upon:  it seems to me that if a business or corporation does not sufficiently invest in security that the buck stops at the desk of the CEO or the board of directors.  I prefer the latter since they really hold the purse strings and represent the investors.  If it is your own business, you rolled the dice and it came up snake eyes so take your medicine.

    But the crazy thing about all this is that most security issues have to do with insider activity, installing software with the default configuration values intact or failure to keep software up to date, three items that don't need a great deal of investment to address (well, software upgrades can be a pain and the down time might cost you some money but not always).

  • Frank W Fulton Jr

    SSCommitted

    Points: 1599

    First of all, Cow droppings are much less viscous than Horse dropping.
    In fact, they are often like pancake batter, hit the pan and spread out.
    And it seems that data breaches have become the norm, which is Cow Droppings.
    Penalties should be levied and collected for every breach, I bet if it coast $10 a person and we actually fined and collected on the first few, everyone else will get the message, and secure their systems.

  • Eric M Russell

    SSC Guru

    Points: 125055

    It's hard to separate the sarcasm from truth in this Onion story. :unsure:
    https://www.theonion.com/wells-fargo-computer-glitch-accidentally-forecloses-on-1830889330

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Jeff Moden

    SSC Guru

    Points: 995648

    Eric M Russell - Thursday, December 6, 2018 1:15 PM

    It's hard to separate the sarcasm from truth in this Onion story. :unsure:
    https://www.theonion.com/wells-fargo-computer-glitch-accidentally-forecloses-on-1830889330

    I heard about a different story on the news, yesterday.  A similar "glitch" affected more than 700 people and caused more than 500 people to lose their homes.  And some people say that what we do "isn't saving lives" when it comes to agonizing over getting things right all the time. Imagine what those poor souls went through.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
    "If you think its expensive to hire a professional to do the job, wait until you hire an amateur."--Red Adair
    "Change is inevitable... change for the better is not."

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Eric M Russell

    SSC Guru

    Points: 125055

    Jeff Moden - Thursday, December 6, 2018 3:34 PM

    I heard about a different story on the news, yesterday.  A similar "glitch" affected more than 700 people and cause more than 500 people to lose their homes.  And some people say that what we do "isn't saving lives" when it comes to agonizing over getting things right all the time. Imagine what those poor souls went through.

    Some economists have asserted that mortgage robo-signing was partially to blame for the realestate crash of 2008 and the subsequent economic recession.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Jeff Moden

    SSC Guru

    Points: 995648

    Eric M Russell - Thursday, December 6, 2018 3:39 PM

    Some economists have asserted that mortgage robo-signing was partially to blame for the realestate crash of 2008 and the subsequent economic recession.

    Heh... doesn't all of that fit what some people call "Artificial Intelligence"?

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
    "If you think its expensive to hire a professional to do the job, wait until you hire an amateur."--Red Adair
    "Change is inevitable... change for the better is not."

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply