Are you making the same IT mistake as Tasmania?
When the Auditor-General of Tasmania utters these words about four of the state’s most important government departments, you have to think there’s some strange thought processes going on in the heads of the department chiefs:
“As a result of the high number of weaknesses identified, I concluded that there were areas of inadequate security at most departments.”
Mike Blake’s report on the Infosec status of four of Tasmania’s key departments: Police, Primary Industries, Health, and Treasury identified some serious gaps in information security, such as a server room that permitted unauthorised entry and a failure to record which application patches had been installed and which had not, reports IT News.
The Police and Health departments both delivered a positive response to the findings. The other two departmental secretaries, however, rejected the findings, with the equivalent of “she’ll be right mate” rhetoric. One even took umbrage over the very basis of the report.
I wish they were alone in their attitude, but the reality is that we see variations on the same theme all the time from confident but unprepared IT Managers and CFO’s. Underlying the rhetoric are two key assumptions that are being made that can have very serious consequences.
1. “I don’t carry the kind of information someone would want to steal.”
That may be true. If your database carries information related to the cleaning frequency of offices in North Sydney, then it’s true that only a handful of other people would find that valuable and there aren’t too many Hacker-Cleaners getting about.
But what if the intrusion is not designed to steal, but rather, simply to disrupt? If you swap the question “why would anyone want to steal our data?” for the simpler question, “What’s the cost to us if we are offline for days as a result of a virus outbreak or security breach?” you will find that you get different answers.
Cryptolocker is an excellent example of this kind of disruption as the virus creators didn’t want to steal your data but simply to prevent your access to it. It didn’t matter what kind of information you had, it was important to you and so you had to pay to get it back or lose it forever.
2. “We’re protected from outside attacks”
Notwithstanding the fact that any system has flaws that can be exploited if a team is willing to invest the time, this is another statement that betrays an assumption about where the threat is coming from. The Ponemon Institute’s 2014 Cost of Data breach report found that 30% of data breaches occurred because of an employee’s intentional or unintentional act. So at most, preparedness from external attack vectors can only protect you 7 out of 10 times.
It’s not possible to take human error out of people, but it is possible to reduce or mitigate the impact with the network security tools available now.
The start to better security though, is to question your assumptions. If you think you’re too small or too unimportant, you’re making the same mistake as the Tasmanian departments. Think about the cost of business disruption, not the threat of theft and you’ll see the world differently.
Mandatory reporting of security breaches is coming. Now is the time to review your Infosec status and your assumptions about where the threat might come from and what you’ll do if it does.
The Tasmanian Auditor-General chose not to respond directly to the statements from the two disputing departmental secretaries, but did offer this:
“We didn’t go in and try to hack any of the agencies this time around. Maybe that is something we will consider doing as part of the two year review”.
I think that despite the bluff and bluster, some real action will be occurring behind the scenes in the Department of Primary industries and Treasury to ensure no red faces next time.
No-one wants to make the same mistake twice.
Senior Sales Manager
Read more: https://www.itnews.com.au/news/tassie-agencies-refuse-to-adopt-asd-infosec-protections-402175
Update– Since the publication of this article the Australian Signals Directorate, which offers advice and direction to all levels of government and private enterprise, has published guidance on mitigating the risk of a cyber attack. Called the Essential Eight, the ACSC estimates that following the strategies will reduce the risk of a successful attack by 85%.