Negligence and Assessments

I have said many times on this BLOG that security isn’t reactionary.  It is a process.  There is no one single thing that anyone can do to protect your data.  But business owners and managers often make one critical error, they don’t verify their state of security. 

I was in a conversation recently regarding an IT department at a mid-sized company.  I was speaking with a manager and her sentiment was of grave concern.  Our IT guy has too much control and our owners are afraid to lose him.  Not because he was a valuable employee; just the opposite he is an awful employee.  They are afraid to lose him because he holds all of the purse strings.  He has all of the passwords.  He is the only person who knows their systems.  He is the only one who has access to make changes.  He is the only person who knows where and if the data is backed up. 

Listen to this concern.  This business knows that they could be held hostage by an IT person and they are unwilling to change anything.  This goes beyond negligence to the company and the employees, it effects their clients.  This particular business has key data affecting numerous clients and their business.  And it is all dependent on one person?  If that data is lost who will pay to recreate it?  Talk about neglect.

Data protection, disaster recovery, and business continuity are all examples of security.  Security is necessary so businesses can meet their mission.  A Doctors office cannot function without patient history.  A law firm cannot go to trial without case histories.  Soft Drinks don’t get made without the proper recipe.  

Not going through the steps to get an assessment of where everything is at and running through “What If” scenarios is a grave injustice.  This is an inexpensive proposition, yet it goes unchecked.  Companies audit their financials out of fear of paying too much in taxes or not enough and risking an audit.  There is a natural driver in place.  IT should be no different.  The natural driver is continued operations and processing of transactions.

There is no grading system in place for security when you walk into a business to know that your information has a high or low probability of staying safe.  This will never exist.  But conducting business with poorly managed companies puts you as a client at risk.  Not doing it for your own business puts everything at risk.  Everything you have worked to build.