Had a data breach? – I told you so!

I am blessed to have two fantastic young children – although I am not sure that I always feel it’s a blessing when they are whining about what the other one did or having a complete meltdown about which socks they are going to wear to school, as I am trying to rush them out the door before we get a late mark from the teacher!

Here I am on a sunny Saturday afternoon, watching them playing with their schools friends. I often watch them playing but today I can’t help smiling as I listen to the group of kids telling each other (in a whining voice) “I told you so. I was right, you were wrong. You should have done it like I said”. The reason I am smiling is because this is how I feel my week has been with some of my business meetings…

Starting with the basics

About three months ago my security team conducted a security assessment and gap analysis at two large organisations. We found a number of high risk areas which required urgent attention as we felt the clients could be highly vulnerable to a cyber incident. In fact, one of the businesses had just got off lightly two weeks ago from a data breach. We presented our findings back to the business with a list of recommendations. We were politely forceful with our comments around the urgency of the high risk areas we had identified. The recommendations were not expensive, nor time consuming to implement but they decided to sit on them and do nothing. I always find this odd when companies do this.

Why pay for expert advice to then ignore it completely?

Can you guess what happened next?

Data Breach has occurred

It doesn’t take a genius to work out the next part of my incredibly interesting and gripping story but yes, their network was hacked via one of the vulnerabilities we had identified. When I say hacked, I don’t just mean a little bit. The hacker was one malicious *Insert your own word here* and destroyed large parts of the network, deleting data and log files and making it very difficult to find out where they had been. They had even gone to the extent of installing software on the servers that made the hard drives spin too quickly and pretty much destroy themselves. It was pretty damn ugly.

So at 8am, on the day the hack had been discovered, we receive the very panicked phone call asking for assistance in helping them rebuild and recover, and to improve their security once we got their systems back up. 4 days later and the company in question still has not been able to restore 35% of their systems and they have lost thousands of man hours where staff have been unable to perform all of their roles.

“I told you so. I was right”

Unlike the kids playing in the park, I wasn’t dancing around saying “I told you so. I was right” but I did have a big sense of frustration. This incident was entirely avoidable. The risks had been identified. A clear path had been shown to mitigate the risk and yet it had not been taken. The result was carnage for the client and a very large bill from us. Now I like sending big bills, don’t get me wrong but I would 100% prefer to know that the expert advice of my team was taken on board and such incidents avoided. I am in business to make money but my team also has a moral compass and a sense of wanting to win against the bad guys. In this scenario the bad guys had got in and got away, and I hate that!

I don’t look at the world through rose tinted glasses. We will never be able stop all cyber crime and we will never catch all those responsible in the same way that the police can’t stop all burglaries and catch all the perpetrators. But if someone says that leaving the front door wide open, not setting the alarm, and putting all the valuables in the hallway is a bad idea… then surely people should listen and take the advice!?

A change in attitude is needed

In my humble opinion there is a real complacency in the UK about cyber crime and IT security. Our attitudes are definitely better than a few years ago but we take security and data protection way too lightly compared with other countries. It’s almost an “It won’t ever happen to us mentality”, until it does and the brown stuff hits the fan.

So as I sit watching the kids play and whine at each other, I ponder to myself, how do we help businesses and IT professionals take security more seriously and be more proactive? My team are constantly running awareness events, training or consulting with clients. We are lucky that most of the clients we have take our advice but as a modern country that relies on IT systems so heavily, we need a sea change in attitudes to enable the subject to be taken more seriously.

Find out how we can help your business with managing your IT Security and help mitigate against online cyber threats.