Being an infosec guy isn’t easy. Like most IT positions, you’re always in the way of progress and innovation, you’re the bad cop, the “no” guy, the pain in the ass, the guy people would rather not talk to and just go about their business, until their business requires your involvement, at which time you suddenly become embraced as a welcome and trusted partner who will help make things whole again. When you’re not everyone’s friend, you’re usually just saying something that no one wants to hear, and it’s hard to keep your head up. It isn’t easy.
Infosec is about culture. The organizational culture either gets it, or they don’t. Those that don’t tread this sort of middle ground where they know enough to consider and implement out-of-the box practices — password strength, least privilege, maybe even basic multi-factor authentication — but not enough to take things any further and think critically about why information security is important, which stunts the organization’s overall security posture and in turn makes them vulnerable.
“Why would anyone want to hack us”
I hear this a lot.
Maybe you have something of value — that one is easy. You have stuff to protect by default. Money, health records, government secrets. In a lot of cases, regulatory requirements steer your infosec strategy for you. It’s easy. And in general, you don’t need a lot of convincing.
Maybe you’re a gateway to something of value — that one is harder. Maybe you have systems that have access to accounts with large amounts of capital. Maybe you personally don’t hold a lot of money, but have high net worth customers who do; their personally identifiable information is a goldmine. You have to think more critically here. It’s not necessarily about what you have; it’s what you as an organization have access to. Those pathways to things worth protecting are just as important as having custody of the things themselves.
Maybe you’re vulnerable. The reality is that many organizations who are hacked or otherwise compromised never started as victims of directed attacks. Hackers and scammers use a shotgun approach, scanning the entire universe for systems with security holes that can be exploited. It won’t be because someone was out looking for you personally, and you can’t even call the fact that they found you bad luck. Insecure systems aren’t bad luck; they’re negligence. The same goes for employees who lack proper training — they’re insecure systems too.
You have disgruntled employees. You have them, whether they still work for you or not. If you’ve rubbed someone the wrong way (whether you know you did or not!) the insider threat is a potent attack vector who already knows the blueprint — even a basic one — to your security model, and where it is the weakest. And if they don’t act on it personally, nothing says they won’t tell someone else about it.
“If they got this information/if we get hacked, it doesn’t matter”
It absolutely will matter. Your organization exists because on some level, it exhibits a level of trust. Otherwise, no one would do business with you!
It’s not necessarily about what hackers will do with the information they take from you; it’s the simple fact that it was taken. No one will keep eating at a restaurant that continually mishandles a customer’s credit card. No one will order wholesale product from a vendor whose order history ends up on the internet for competitors to see. And no one will make a charitable contribution to an organization who had its donations siphoned off to a hacker’s Bitcoin wallet. There’s always somewhere else to do business, and if they’re not doing it with you, you don’t have a job.
But remove the connotation of data loss from the equation. What about the simple notion of being down and unable to perform business? Indefinitely? Try to envision the level of frustration in your organization when no one can access a critical system. Or a core desktop app used to run the business simply won’t operate. Or your enterprise multi-factor mechanism stops operating. Or no one can get on the internet. Now scale that frustration from individuals, to entire departments, to your entire organization. Nothing was stolen and you haven’t lost anything, except the ability to do your job.
You can get away with insecurity for a really long time. But will your business be able to recover? Will you reflect positively on your decision to invest in cleanup, rather than prevention? Will management feel the same way?
Ask yourself why you consider information security a path of resistance, and not what it really is: fundamental insurance for business continuity.
You can’t rationalize away the need for infosec. As security practitioners, we can quantify the cost of a solution. What we can never truly quantify is the cost of a breach, or the cost of downtime. We can estimate those costs, but brand and reputation damages are immeasurable. If you’re serious enough to be in business, be serious about staying in business. There’s no sense in locking your office doors when the ones that really matter — the ones to your data — have no locks.
Take the next steps. Digital signatures. 2-factor tokens. Data-at-rest encryption.
If you can’t get there on your own,
enlist someone to help.
But get there.