In terms of cyber security, meaningful measurement is an issue that needs to be addressed if the security industry wants to be seen as grown up and not scaremongering. What I would like to do in this article is zoom in and examine an internal security issue many MSPs and IT admins face: practicing what you preach. This is not going to be a pleasant topic and I’ll be honest here: I’m constantly battling with this one as well. There are a couple of reports that highlight what I mean.
Firstly, many of you will no doubt have heard tale of apocryphal stories about USB sticks being left in car parks in order to infiltrate companies. However ridiculous you may think it sounds, this threat is very real. In 2015, a white paper from CompTIA revealed the findings of a USB stick study in which 200 thumbnail drives were distributed in airports, coffee shops, and public squares around several big US cities. CompTIA concluded that 17% of the sticks were plugged in to computers. Sadly it appears we’re still not getting the message. Last year Google’s anti-abuse team dropped 300 USB sticks and found 48% were opened.
And, secondly a report from Intermedia found that 97% of employees have access to some form of sensitive or confidential information – yes, that’s why they are employees – and that 93% of employees admit to engaging in at least one form of poor data security.
OK, according to these two reports, most of the IT professionals and users in these surveys suck at security. I don’t think this is an unfair assessment and I would have probably shoved a USB stick I found into a virtual machine to take a peek. I don’t feel too bad about this as the USB drive technique worked on the US Military, in 2008.
IT pros are generally curious and we are also the folks that look after a lot of other people’s data, and that’s my point: This issue is not an IT issue and it can’t be dropped at the feet of IT. The only takeaway from these exhaustive surveys is that it seems everyone is really bad at security. So if that’s the case, what is the answer?
Well, it’s kind of simple really: Everyone could be doing a better job – me, you, your employees, and your customers. This is a cultural issue and permeates the organization and our lives. Security is not just about the technology, it’s about people and processes as well. So my advice to IT admins and MSPs is to demonstrate leadership by setting an example. Try following these easy steps for a start:
The true takeaway is this: MSPs and IT admins hold the keys to the castle for many businesses, which are the life work of their owners. Your skills and knowledge are the only thing that can put a business “back in business” if an accident or cybercriminal attack occurs. Leadership by example is not easy, but in time your customers will appreciate your diligence.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.