Talking to companies about security is what we do, and we’ve been doing it for nearly 25 years. Over the years we have had some interesting engagements with some very prominent companies.
Many of the companies we have serviced have had very comprehensive security programs in place and have utilized the latest in security technologies. Some follow security standards like NIST, ISO and SOC. These companies, by security standards, are doing the right thing. So why are so many still vulnerable to attack?
The reason = Tunnel Vision, not to be confused with complacency. Complacency is a different affliction that brings down companies like a row of dominos. I covered that in a previous blog.
Tunnel vision is, in our opinion is where an individual or group of individuals focus their time and efforts on a particular aspect of their network, looking right passed other important aspects or segments of their infrastructure.
Why do they do this? For many reasons, but one commonality is that they have heard that hackers are only after a newly discovered weakness in a particular technology they may be using. They then spend all their time money and effort bolstering what they perceive to be the primary point of concern.
In other cases, one or more members of the IT Team have a specialized skillset or knowledge of certain components of their infrastructure that get all of their attention, and the other elements of gets less because it is not be their forte.
In this last case, a senior IT manager may have sunk all the budget into one or more security technologies that he or she believes is what they need to ensure their infrastructure is protected. We call these three examples Tunnel Vision. There are many more.
Making decisions with Tunnel Vision leaves a company exposed and vulnerable to attack. In the above examples, all the effort is placed in one area while others get overlooked or not as much attention. Hackers realize this and leverage the opportunity to exploit a weakness in another area.
Good security must include a plan to address ALL areas of concern. Staff need to be trained to be aware of the threats. Members of the IT team should carry a diversified set of skill sets and be comfortable with the technology that is in place. Process checks and balances should be in place to make certain nothing gets overlooked. Tried and true technologies, as well as new technologies should be utilized to provide consistent and reliable protection to keep your organization safe. (Remember the golden triangle of people, process and technology!).
Most of all, don’t get sucked into the vortex of clever advertising, and don’t be too quick to adopt a new technology just because you’ve heard it’s the next best thing. It may not work for your organization and or you may not have the staff that can properly maintain it over time.
Security is marathon and not a race. Be diligent, be thorough, and don’t get tunnel vision.
If you need help, reach out. We love to talk about security and are here to help.