How much of your budget goes to protect you from the companies that are supposed to be protecting you?
Over the past several years I have heard, learned, discussed and agonized over cybersecurity more than I would have ever imagined in my wildest dreams a decade ago. And I have invested a massive amount of money in cyber and all other types of security during this time to be safe (hopefully). When I moan and groan about the staggering cost, cultural change to our operating environment, and considerable training all employees must undergo to relearn basic computer tasks, the response I hear – usually from vendors or some other third-party – is “that’s the cost of being in business these days.”
Yes, being in business has underlying fixed costs that may change but never decline. These days some of those costs are to harden IT infrastructure and put in place systems, equipment and procedures to primarily safeguard data, and sometimes maybe even employees. Several years ago, attempting to explain as simply as possible to employees the need to prepare for cyber attacks, I drew a comparison to the pirate attacks of lore. At the time, piracy was commonplace on the coast of Somalia. Some hacker, I suggested, from a nation/state was ready to kidnap a Captain Phillips, take his ship and plunder its cargo. Indeed, I know of companies held ransom for Bitcoin losing control and access to all their IT infrastructure and basically being unable to operate systems or even shopfloor equipment.
The threat is real, and we all need to do the due diligence and invest the time and money to put in place reasonable safeguards to eliminate or at least dramatically limit the potential of losing valued intellectual property, data files and critical code. The more I learn and invest to have a secure, safe and trusted business that customers, suppliers and employees have confidence in, however, the more I realize there is more than one type of pirate operating in the cybersecurity universe.
When you try to tackle the herculean task of hardening systems, servers and software to be robust and cybersecurity-safe, you realize that, for all intents and purposes, you must replace almost your entire IT infrastructure. With so many legacy software programs running on equipment from companies long out of business, it is logical to focus attention on that large potential black hole. In this particular instance, however, you quickly discover that what’s old and functioning, even if from a defunct company, is just landscape. The journey you are on is supported by companies such as Microsoft, Amazon, and other behemoths in the “tech” world. And that’s when you realize the other pirate is less Somalian terrorist and more like Captain Jack Sparrow from The Pirates of the Caribbean.
How could this be? Simple. An IT system relies on two basic things: software and internet, or more specifically, email. We take both for granted, especially as they are based on platforms from companies that support all industries on all types of hardware equipment globally. The problem is those companies know it. That’s where the piracy begins. One part of the behemoth corporation decides to update its email software. Great! Then it crashes the operating system that runs the computer it resides on. So, you, or more specifically your “IT guy,” gets the various patches and fixes it. You are back up and running, safe and secure as before. However, the next week a different part of the same behemoth corporation decides to update its operating system, which crashes the email service. Once again you – or more likely your “IT guy” gets the patches going and fixes it.
This happens over and again, and regrettably is just as predictable as the antics of Jack Sparrow as he outwits the British navy while plundering bounties and charming innocent maidens. Corporations large and small have jumped on the cybersecurity bandwagon and have figured out that business will pay whatever it takes to protect themselves from a cyberattack. And with protocols being developed and launched such as CMMC certification to enable companies to prove they have the best defenses built into their IT and security infrastructure, the costs in time and treasure escalate. Much of the money you are spending is to “fix” what these companies muck up by not coordinating their own internal efforts and to pay someone else to certify what you already know.
I realized, then, that a decent percentage of my IT security budget goes toward efforts to protect myself from the companies that are supposed to be protecting me!
That is indeed the cost of business in our current world. No question we want safe IT infrastructure. No question that companies fallen victim to cyberattacks or bitcoin ransom experience devastating impacts to their business, profits and reputations. The frustration is that in our technologically fast-paced world, just when you think you are “there,” an OS change is made on software used globally, and you have to start the process over.
As more industries realize the potential vulnerability their IP and that of their customers is exposed to by antiquated computers, servers and software, the cybersecurity mantra, and the costs associated with it, will certainly be there. It would be helpful, however, if some of the big suppliers of software, systems and platforms eliminated the dumb actions that make them often appear more pirate than defender.
Then again, maybe I am wishing for too much! It certainly was simpler and less costly way back when all you had to do was bolt down the typewriter and lock the file cabinet.