https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54668#M6002 <P>See both the lack of competency and complacency as being the two biggest factors in the workforce. Otherwise I completely agree.</P> Thu, 27 Oct 2022 18:19:40 GMT Beads 2022-10-27T18:19:40Z https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54647#M6000 <P>Hi All</P><P>&nbsp;</P><P>According to the John Edwards the UK Information Commissioner, who used to be the New Zealand Privacy Commissioner:&nbsp;</P><P>&nbsp;</P><P><SPAN class=""><SPAN>"The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company"<BR /><BR />Great quote from John Edwards -now the UK information commissioner - on the recent £4.4m fine levied against a UK firm:<BR /><BR />- "Interserve Group broke data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack"<BR /><BR />- "failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated"<BR /><BR />- "Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments"<BR /><BR />- Paying a ransom was 'not considered a reasonable step to safeguard data' - “We will not concede that the payment of a ransom to recover data is a mitigating factor"<BR /></SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information" target="_blank" rel="noopener">https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information</A></P><P>&nbsp;</P><P><A href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/" target="_blank" rel="noopener">https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P><P>&nbsp;</P> Mon, 09 Oct 2023 10:21:01 GMT https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54647#M6000 Caute_cautim 2023-10-09T10:21:01Z https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54668#M6002 <P>See both the lack of competency and complacency as being the two biggest factors in the workforce. Otherwise I completely agree.</P> Thu, 27 Oct 2022 18:19:40 GMT https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54668#M6002 Beads 2022-10-27T18:19:40Z https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54677#M6003 <P>Having been with 14 different companies/agencies I see the same repeatable pattern:</P><P>1) Poor patch management</P><P>2) Outdated IT and Security tools</P><P>3) Lack of modernization of infrastructure</P><P>4) Poorly trained or (satisfied where they are ) workforce</P><P>5) Users, no matter what the security training provided, who will click on an email that entices them.</P><P>&nbsp;</P><P>Complacency yes. Not upgrading tools because "What we have is working." "We haven't been hacked yet!" "We're too small. No hacker would want to come after us."</P><P>&nbsp;</P><P>You have to have bold leadership too that can inspire a workforce. You have to have finance departments willing to spend money BEFORE a breach happens, not just release the purse strings AFTER an event happens.</P><P>&nbsp;</P><P>And if all that fails, if you have a motivated attacker, they can eventually find a way in.</P> Thu, 27 Oct 2022 19:29:15 GMT https://community.isc2.org/t5/Industry-News/Biggest-cyber-risk-is-complacency-not-hackers/m-p/54677#M6003 CISOScott 2022-10-27T19:29:15Z