We asked industry experts what message they would send to business leaders who have no intention of improving cyber-defences. Here’s the response from Morey Haber, VP, Technology at BeyondTrust:
The role of any leader in an organisation is to ensure business continuity and limit risk to the organisation, customers, employees and mission. Any disruption to the business can cause a loss in revenue, reputation, or potential harm to its employees or customers.
In today’s next generation economy, if a business embraces any form of electronic commerce, from payroll to online services, there is a real threat for business leaders that should not be ignored.
If your business is heavily invested in technology to operate, it is simply foolish not to consider improving your cyber-defences, even if they are a near zero cost investment. To that point, improving cyber-defence does not have to be an expensive investment to make sure your organisation does not fall victim to any one of these modern disruptions.
Consider the following:
- Education and implementation of secure password policies including acceptable usage (i.e. complexity and no password re-use)
- Enable automatic updates on all workstations and mobile devices to automatically install security patches when an investment in a vulnerability management and patch management solution is not feasible
- Budget for and replace all end of life equipment such as Windows Server 2003 and Windows XP to ensure a safe computing environment
- Enhance basic Windows group policy with best practice settings for session timeout and require periodic password changes
- Remove unnecessary administrator rights from all workstations and servers
- Change all default passwords so threat actors cannot guess them based on dictionary attacks
And, there are so many more. Outside of investing in new tools and replacing old equipment, no business leader should ignore improving cyber-defences. Minimal time, basic policies and simple education can stop the easiest of attacks and potentially keep your business off the front page of a newspaper.
For those business leaders that will ignore even this basic advice, respectfully I would kindly ask them to consider the alternatives and play a simple what if scenario game.
- What if you do not improve your security posture?
- What if you are breached and sensitive data is stolen?
- Who will be accountable?
- Who will be hurt by an incident?
- Who could lose their job ?
- Could someone potentially even lose their life?
The answers should not come as a surprise and if your business involves ICS, SCADA, or other CI (critical infrastructure). Yes. A breach could cost someone their life if machinery or equipment is tampered with. The ‘What If’ questions are derived from a simple SWOT (Strength, Weakness, Opportunity and Threat) assessment regarding the cyber-security posture of your business.
In the end, I would challenge any business leader to say that what they are doing is good enough today, and that there is no room for improvement. Their push back may be due to cost, ignorance, arrogance or any number of human traits. That is simply not good enough when the basic tasks would be simple to implement and have a high value in protecting an organisation, even when funds are not available. There is always room for improvement; especially in cyber-security at home and in business.