As 2020 budgets are being finalized, I thought I should send out an appeal to all the financial executives and boards of directors out there…Get your IT and cyber security team(s) trained on whatever platforms you employ. This isn’t a luxury item anymore, it is required. It is actually critical that this happens. It is critical for the longevity of your organization and to remain in compliance with regulatory agencies.
If you think about it, would you want an accounting firm to do your taxes if they haven’t updated their knowledge in 5 or 10 years? What about a Doctor that refuses to try new medicines?
IT is the backbone of every business. I know training is an expense. But in the event of a breach you do not want to get the question from opposing counsel if you trained your team. You do not want regulators asking and you certainly don’t want to have to explain to shareholders why you are taking a huge charge because of a breach and you did not train your employees. You do not want to explain to voters why there was no budget in place when data breaches are on the news nearly nightly.
I realize that it is impossible to prevent a breach completely. But there are ways to mitigate them and there are ways to reduce their impacts that every organization can take.
Just Because it is Working Doesn’t Mean it Works
Anyone who has ever tried to get something installed, or get a new TV setup at home, or even helped their kids with a project were relieved when it worked. Whatever you were trying to accomplish was met with drive until the point of elation when it finally worked! You got it! Crack a beer and enjoy your success…But software and applications are completely different.
Recently, in the process of our security assessment works, we found an issue where something was perfectly functional and working for years. We were able to get through the process to hack an entire network. We consider this an “Entire Network Takeover”. We had access to everything. The issue was the result of an improperly configured system. They had no idea. This was not malicious, it was ignorance. Ignorance of what was proper. Ignorance of the vulnerability. Nothing had appeared to be misconfigured so it was assumed to have been okay.
The main issue is people in IT often stop testing when something is working. But that is not the right process in the current climate. You have to continue to test and test and test until it works and it is secure. And in order to do that, they need training.
Keeping Training Current
Keeping your teams training current is imperative. This training needs to be updated annually. There should be quarterly training plans in place for anyone involved in IT or applications. Certifications are fine, but the training is invaluable. Some training will be formal and taught in classrooms. Other classes will be informal webinars with features and specs.
I love how some professions require CPE credits to maintain licenses. I am not big on regulations, but I am big on education. In IT there is no formal approval process to get in. So, the field is wide open for anyone to get started. Which is great. But the great people in IT are the ones that are constantly learning. They are the ones that rise to the top. They are there because they can throw their hands up and say, I don’t know something.
Because if you work in IT, unless you are seeking knowledge, you will never know what you don’t know. I think this probably applies in any area of life too. Training, reading, education leads to better life skills, better marriages, better families, and an employable workforce.