The Stages of Security Awareness

More and more business, institutions, and Individuals are willing to reason that the cost of a data breach is less than or equal to the cost of treating customer data with the same care they treat their own social security number, email password, or bank information. Or at least it seems that way up until the point at which they get caught or become aware that they didn't invest in securing business data. Like many things, the problem is becoming aware of the issue. So what are the key points of failure in becoming aware?  What keeps business, institutions, and Individuals from securing important data?  These are the attitudes I commonly see, they align themselves nicely with the first 5 stages of grief.

1. Shock: But we don't have anything of value to steal?  We couldn't be a target.

There are a couple things in this one that make it interesting.  First, it assumes that securing data is about data theft, data theft however is rather benign, what its used for is what causes the damage.  All businesses run on data, criminals have a business of their own and they exclusively want your data to be able to use it.  By knowing things about you (sometimes even in real time) an attacker can know what you are doing, corporate espionage is a real thing.  Depend on their access method they may also be able to appear as you. The other part of this is question implies that data might be the only thing an attacker wants to steal, a computer connected to the internet might be just as valuable depending on what their purposes are.  Brian Krebs has an excellent article on this.

2. Denial: We've never had a data breach before.

My favorite quip here is the classic "Well I've never died before, so maybe I never will!" This is perhaps the worst posture and often held by people who fundamentally don't understand technology or that humans get better at any given task over time, including crime. On the flip side, how do you know you have never had a data breach? Often it's the case that people who give this as some kind of reason for not investing in a security strategy are the same people who don't have firewall logs, adequate antivirus, any way to manage workstations or firewalls that haven't seen a firmware patch in over 5 years.

3. Anger: But who would want to attack us?

This one is interesting, the answer might be nobody.  Even if the answer is nobody the problem is that most business that has experienced some type of cyber security incident also had that answer.  The nature of cybersecurity today happens to be that attacks are not specifically targeted, in other words, your company is not important to an attacker and they don't care about you.  You are the complete opposite of special.  To the attacker, your email address just appeared in a leaked list or database of addresses, or maybe it was in a mailbox or address list of someone who already got hacked.  Its likely if your an older company or organization that you have some email addresses sitting out there, check have i been pwned it's better to know sooner rather than later.  Nobody is probably targeting you or your organization but somebody is always targeting everyone, targeting everyone is much easier than targeting someone.

4. Bargaining: Having security is inconvenient and slows business down I only want to secure things that don't have an impact.

This is in some cases true, treating customer data correctly does mean in some cases that extra care must be taken to ensure it is managed properly.  Being a sysadmin is a lot like being a private butler in that regard, your IT staff are stewards of the precious data your company uses to make money, so are your accountants, your salespeople and your janitors (yep, they probably have access to every unlocked workstation at night when they are cleaning).  If you only secure things that don't have an impact than the only things you will secure are things you're not impacted by.

5. Depression: There's no way to secure everything and criminals getting into our systems in inevitable.

Cool, go ahead and put that on your website. This is the most dangerous attitude and companies that have it when found out typically don't end up doing business anymore. The price of IT security is eternal vigilance.