2015 year of the data breach

Will 2016 be the year we improve?

I have just been reading the latest Ponemon Institute report: 2015 Cost of Cyber Crime Study: United Kingdom. It will not surprise any reader that Cyber Crime in the UK is on the increase.  There have been a number of high profile breaches in 2015:  Talk Talk and Carphone Warehouse to name but two.  But how many are we not informed about?  What is industry and not just the IT industry doing to stop these attacks?

At the time of the Talk Talk attack the Institute of Directors (IoD) acknowledged that only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”.  But is this because we are not learning from the attacks that happen?  After all there isn’t really a spirit of openness around such things.  But there is plenty of FUD (Fear Uncertainty and Doubt) spread by the knowing and some not so knowing professionals.

If we take the Talk Talk example.  In some ways I feel a little sorry for them, in some ways I don’t.  The attack was rumoured to be a SQL Injection and the perpetrators were described in the press as clever, talented and sophisticated.  In reality they were none of these.  SQL Injection has been a vulnerability known about for decades and so has the prevention method.  So why was it not applied?  The tools the ‘hackers’ used would have been able to exploit the vulnerability with relative ease.  It was also only rumoured that the attack was SQL Injection,  Talk Talk could not confirm this.

Without this information being shared, how are organisations going to understand the true scale of the Cyber Problem?  I can understand many senior board members feeling that they have everything in place and the “it will never happen to us” mentality.  But the risks are high.  Rarely in business are attacks targeted, they are usually indiscriminate and opportunist.  Businesses need to adopt the mentality of locking the metaphorical doors and windows of their IT systems, forcing the opportunist elsewhere.

Cyber attacks are going to be a fact of life, but only if we ‘pull together’ as a society, can we start to defend ourselves.  So what do we need to do:

  • Make it mandatory to report a cyber attack, the methods used and the affects on the organisation;
  • To achieve point 1 stop vilifying the victims and learn from their ‘mistakes’;
  • Make it a legal requirement to have a board member responsible for the security of systems.  I am amazed that 40% of companies still don’t have board level reporting of information security.
  • Put information security on a footing equal to Heath and Safety (without the over zealousness).

Government are taking steps in the right direction:  establishing the National Cyber Centre for one.  CiSP has been allowing organisations to share Cyber Attack information for a few years now, but I wonder how many boards are aware of the nature of attacks in their sectors.

In 2016 let’s move to a more proactive approach to securing systems and information.

Main image by: Alexandre Dulaunoy

Advertisements
2015 year of the data breach

Happiness isn’t just for Christmas

Over the last month I have been amazed to witness how many companies are getting the basics of people management so badly wrong.  Particularly during the season of ‘good will’.  One company I heard, had told staff attending client Christmas functions taking pace during the working day, that they had to make the time up later.  Didn’t they realise that their staff were doing vital work forging relationships with their customers during this time?  How mean can an organisation get?  I don’t really want to have a pop at the accountants here, but that does look a little bit like the balance sheet ruling the business!  The staff were obviously a little miffed, certainly the ones I spoke to had lost a lot of ‘good will’ for their employer. At least three were considering leaving the company.  If they do that, it will cost far more than a few staff taking an afternoon out of the office to socialise with clients.  Add to this the reduced morale.  How will these staff perform next year?

This particular example got me thinking about a talk I was fortunate enough to hear earlier this year by Henry Stewart.  Henry runs a company called Happy, what a great name.  The company philosophy is that if people are happy they perform better.  So how did Henry quantify this?  Research by Alex Edmands looking at the last 25 years of the Great Places to Work Survey, shows that companies on this list continually outperform others.  What Alex discovered was that if you had invested in the general stock market and in 25 years your portfolio was worth £100,000 it would be worth £233,000 if you had invested in the companies only on the Great Places to Work list.

In this short blog it is not possible to cover all that Henry said.  But the basics are so fundamental to management it is difficult to see why we have lost them.  Henry suggests that the role of managers is to keep people happy.  This doesn’t mean playrooms, bean bags and fun games. It is more about attitude.  At some point we have all come across Maslow’s Hierarchy of Needs. Maslow suggested that the most basic level of needs (the bottom of the triangle) must be met before individual can progress to the secondary or higher level needs (wikipedia).

MaslowsHierarchyOfNeeds.svg

Maslow’s Hierarchy of Needs

Henry suggests a very similar approach to managing people in his Pyramid of Management Needs.  Working from the same principal as Maslow the bottom of the Pyramid are the basic fundamentals.  Interestingly reward is the most basic and trust is at the top.  Average organisations meet the first three tiers and happy high performing organisations also meet the top three tiers.

Management Needs
Henry’s Hierarchy of Management

In 2016 why not make a choice to make the people who work for you happy.  It takes a bit of thought and a lot of courage, but if the evidence is anything to go by, it has great rewards.

Let’s make 2016 HAPPY.

Main image courtey of Thomas Iapperre

Happiness isn’t just for Christmas