Why Prevention is Better than Cure when it comes to IT Security
Recently I came across two different stories that made me wonder why companies fail to take security seriously until after they fall victims to attacks.
The first story, as reported by The Register, reports system failure as being the number one reason for the increase in data breach costs. The article reports that seven out of ten firms started using encryption after suffering a data breach and likewise 69 percent of victims strengthened perimeter controls after being compromised. In a separate story also reported by The Register, it appears that InterWorx was storing passwords in plain text in its control panel system and after having its system compromised had to change the system so as to no longer store passwords in plain text.
Both these stories highlight how some companies do not take security seriously until after they fall victim to attacks. And what’s even more tragic is that they seem to think that security is not very important. I came to this conclusion because using encryption to store passwords, and encrypting data doesn’t involve a high cost, if any cost at all.
Having a system storing passwords that are encrypted instead of in plain text might involve a little more work but that too is negligible. So if these basic security needs did not involve an added cost not added inconvenience, then why were they discarded? The only answer I could think of was they were deemed to be unnecessary.
InterWorx, for example, claim that the attack they suffered happened between February 28 and March 5. The incident was reported on March 10 by which time the company claimed that their system no longer stored passwords in plain text. So they were able to secure their system in less than 5 days; tragically only after the damage was done however.
There seems to be a prevailing philosophy that security breaches will not happen to us and therefore it’s not worth the effort to protect ourselves by preventing security breaches. Obviously this philosophy changes the second we are hit, as we then hurry to fix these minor issues and try to reassure our customers that they can rest easy and that the problem will not happen again.
As a customer what do you think? Is that enough? Or is that too little, too late?
Lessons are really learned the hard way. Just like human sickness, prevention is REALLY REALLY better than the cure itself.
Most small and medium sized businesses are the typical victims of data breach and security mishaps. This is because they dont have enough resources to combat these catastrophes. However, this is not a good excuse. Many security software today can be bought half the price they used to be 5 to 10 years ago.
And besides, treating and solving your IT issues when the problem is already at hand could cost more.
Be proactive and you could save a lot of money in the long run.
I am not so sure that money is the real issue here. In the sense that even if a business is that short on money there are also free solutions which one can employ to secure their environment. Personally I think it’s more a question of avoiding security, thinking that such events cannot happen to them, because they’re small or because they have nothing to steal.
Another possible reason is that they might not have the skills or more likely would not be confident enough to change the infrastructure or even simply reconfigure it due to the fear of breaking things that are currently working. What they don’t realize is that doing nothing is a bigger risk then actually securing a working environment.
IT is like medicine – you don’t believe that prevention is better than treatment till the moment you get deadly sick. You have heard about AIDS, cancer, heart attacks but you don’t take them in earnest till disaster strikes. In a sense, you are saying, “This doesn’t apply to me.” Many business owners have this way of thinking and their IT managers can’t fight this attitude.