I frequently encounter organizations that have a, shall we say, rather naïve view of security.

Often, their position is some measure of:  “No one but our [customers/clients/constituency, etc.] knows about us, and they’re certainly not going to harm us.”

Another refrain is:  “We’re small; under the radar for the moment.  Sure, we’re evaluating better security… we’re going to get to that…”.

And then there are the orgs that think they’re already “water-tight” – until the flood of bad results pour in from a breach.

We spoke of the hacking group Anonymous a few days ago.  Now it seems that this group has hacked into approximately 70 rural U.S. law enforcement websites, taking information regarding investigations and posting it to the internet, as well as tips from the public, e-mails from officers and, rather amazingly, credit card numbers.

In a statement by Anonymous, this theft of data was in retaliation for arrest of sympathizers in the U.S. and Great Britain – to the tune of 10 gigabytes.  They further stated their leak was “a massive amount of confidential information that is sure to discredit and incriminate police officers across the U.S.” and that this would “demonstrate the inherently corrupt nature of law enforcement using their own words” to “disrupt and sabotage their ability to communicate and terrorize communities.”

Ah – sort of a public service, eh?  But what do we take away here in the Biz-IT community?

We take this:  This isn’t an attack on the NYPD, the LAPD, the CPD (Chicago).  This is theft from rural areas in places such as Arkansas, Kansas, Louisiana, Missouri and Mississippi.  Thus, mischief makers and individuals and groups with chips on their shoulders will look for soft targets:  the naïve, the ignorant, and… after this… the unwise.

One of the chief difficulties in putting off security evaluations and initiatives is that it becomes difficult, expensive, and consuming (of resources such as $$, time, and people) when you finally get around to tackling it.  And that’s the significant enough rub assuming you don’t have a breach or loss.  It’s like you’re standing at the base of a cliff, looking to scale a challenge all at once, with immediate need for egress to the top.

If your security initiative is paired with a recent breach, and an “Oh sh… sh…  should we tackle security now?”-moment, then it’s all the more difficult.  You’re facing the fire of fallout, more potential breach, and you have to mount and complete initiatives in a rush.

Make no assumptions:  not about outside threat, your risk about being targeted (or found), nor about what “invitations” your staff may be making in terms of their outreaches to nefarious domains and entities:  Whether intentional, accidental, or through ignorance.  Survey security now:  Inside and out (in terms of products and protections that are available).  If you’re comfortable with your security initiatives, survey the market anyway.  Survey what other organizations are doing that are in your domain, your market, that are your size with similar budgets.

When security is managed as an ongoing initiative, with monthly or quarterly assessments (as well as ad hoc ones based on exigencies – let’s not forget that), paired with the annual review of all states of business and IT, we find that we have something very important:

We have a manageable, affordable, and protecting forward-posture as regards the overall state of security.

NP:  Skoshuss, Bluesiana, jazz24.org