cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Biggest cyber risk is complacency not hackers

Hi All

 

According to the John Edwards the UK Information Commissioner, who used to be the New Zealand Privacy Commissioner: 

 

"The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company"

Great quote from John Edwards -now the UK information commissioner - on the recent £4.4m fine levied against a UK firm:

- "Interserve Group broke data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack"

- "failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated"

- "Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments"

- Paying a ransom was 'not considered a reasonable step to safeguard data' - “We will not concede that the payment of a ransom to recover data is a mitigating factor"

 

 

https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack...

 

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacen...

 

Regards

 

Caute_Cautim

 

2 Replies
Beads
Advocate I

See both the lack of competency and complacency as being the two biggest factors in the workforce. Otherwise I completely agree.

CISOScott
Community Champion

Having been with 14 different companies/agencies I see the same repeatable pattern:

1) Poor patch management

2) Outdated IT and Security tools

3) Lack of modernization of infrastructure

4) Poorly trained or (satisfied where they are ) workforce

5) Users, no matter what the security training provided, who will click on an email that entices them.

 

Complacency yes. Not upgrading tools because "What we have is working." "We haven't been hacked yet!" "We're too small. No hacker would want to come after us."

 

You have to have bold leadership too that can inspire a workforce. You have to have finance departments willing to spend money BEFORE a breach happens, not just release the purse strings AFTER an event happens.

 

And if all that fails, if you have a motivated attacker, they can eventually find a way in.