Open in app

Sign in

Write

Sign in

Make (the discussion about) IT Security great again

Michael Roth
7 min readJul 9, 2019

--

Do you have customers, who are considering moving their data into the cloud? I do. And I have the feeling, that I’m having the following discussion every other day:

C(customer): Yeah, we are not sure, whether to move our data into the cloud. Because, you know, the cloud really feels unsafe.
M(Me): Oh, I see. So, IT Security is a relevant topic in your company?! Okay, how much do you spend on IT security?
C: …well, you know…what exactly do you mean….to be honest…not so much.
M: You don’t spend anything on IT security, but think the cloud is unsafe? I think we have to talk. A lot!

Does that sound familiar? Do you know those customers, who don’t really have a security concept on their own?

Another classic is “Yes, we do have an IT security concept. The guys from the IT are doing it. If I know anything about it? No, why should I? It’s an IT topic.”

Yet my favourite is the outsourced IT security “We have those specialists, who set up everything and that’s fine. A very good company, somewhere in the east, I guess.”

So, you trust some unnamed IT service company your most important data and the whole security concept….? And still think the cloud is an unsafe solution?

Many people have the vague feeling that the cloud may be insecure, without having any arguments.

Most organisations I know make too few efforts to secure their data. They have withdrawn the topic IT Security from their bucket list. But why? Why is IT security still an unsexy topic? I mean, there are plenty of webcomics about IT security. Can you make awesome cartoons about an unsexy topic? I don’t think so (and I know, deep inside you agree).

So, I think it is time to make the discussion about IT security great again! Because it becomes more important than ever. Our world becomes more and more technology-advanced. And with more technology there are more possibilities for criminals.

That is why, we have to reach out to our customers, to make them aware about IT security!

Why is it so difficult? I came up with three possible explanations:

1. On the one hand the topic is too complex for most people to feel comfortable with. Especially the technical part really is, and you need some good experts to keep track of the current development.

2. On the other hand, people tend to ignore inconvenient topics, although they know they shouldn’t. (Remember this homework you tend to do at the very possible moment? Yeah, I bet you do). This is called procrastination.

3. Or perhaps the correlation between “giving your end-user some security training” and “Massive data leak at [insert company name] is not yet settled in the mind of the responsible people. Does proper end-user training really have an impact on my IT security program? (Short answer: Yes it has! A massive one!)

Okay, the procrastination thing is something that amazes me all the time. Just imagine the whole data of your customer is gone. Just like that. How much effort and money would it cost to recover from such an incident? And why on earth would you procrastinate such a topic?

But with the other points it’s something different. It all comes down to one thing:

IT Security is a technical, as well as a human-topic. An up-to-date technical security solution is absolutely necessary. But the last line of defence are the employees, the end-user. That is a fact, that has to be transported into the hearts and minds of your customers.

You know who also knew about this fact? Ser Stannis Baratheon, King of the Andals and the First Men, Lord of the Seven Kingdoms, Protector of the Realm, Lord of Dragonstone. Yes, I’m talking about Game of Thrones. This Stannis Baratheon knew a lot about IT security. Or at least about the structures behind every good security concept.

When he marched upon Winterfell to claim it back from Ramsay Bolton, he lost a significant amount of his men to an ambush, set in his own camp:

An in the end he is right. A proper fence would have helped to keep the enemy out of your camp, but even the best and modern fence can be bypassed.

And then it’s up to the last line defence. The end-user. The employees.

You have to get this absolute key fact into the mind of your customers. That is a crucial point to get across.

Even the most modern and up-to-date security architecture has to be used by an end-user. The human factor is a point you can’t get rid of. There was a whole Cyber Security Awareness Month established, just to strengthen the weakest point of any security solution: humans (though I don’t know why there are two, one for the United States and one for Europe). Even the most effective (and expensive) security solution has to deal with a human being interacting with it.

Even the most modern and up-to-date security architecture has to be used by an end-user.

And one misguided click, one carless opened attachment or link can cause a massive data loss.

And in most cases, it’s no bad intention, they just don’t know any better.

If your customer designs something to be idiot proof, the universe will design a better idiot. So, to get a grip on a modern security solution our customers have to understand this core facts:

They are responsible for their end-user.

They have to make sure, that their end-user won’t do something stupid (without knowing any better).

It is their responsibility to empower their end-user.

It is their responsibility that the end-user don’t remain idiots (in security topics)

So, in the end it is their responsibility to make IT Security a sexy topic for their organisation. And from my point of view, that makes it your responsibility to empower your customers to do exactly that.

And it’s not that hard. Laying a solid ground of awareness is not too much work.

There are technical components, that may feel uncomfortable, agreed. But they are necessary.

But if you can transport the “why” and the “how”, the purpose and the core facts of IT Security, then every security solution, regardless how exactly it looks like, will work a whole much better. And even better, the topic becomes tangible. For your customers and for the end user as well. And tangible topics can be discussed, can be handled with. They become a real thing. Not something, someone should think about, when there is time. IT security is a real thing and need to be discussed as such.

So, strengthen the human understanding will automatically strengthen the usage of the technical devices/solutions.

Empowerment increases security!

Coming back to the question from the beginning, what has all that to do with the cloud? I, as an Office 365 consultant am astonished, that so many people demonizing the cloud for being insecure. While using (if at all) security concepts which are not proper implemented, with users who are not trained at all.

So if you start talking with your customers about one of the core facts of IT security, the human, IT security can become a sexy topic again. And that makes cloud solutions sexy. And you know they are.

Because obviously…

I’ve gathered nine useful tips, you should discuss with your customers and for an easier handling, I’ve splitted those into two different steps.

The first five steps are human centred topics. They are absolute ground rules. That’s the basic. IT security 101.

The later tips are a little bit more technical. But if the first tips are understood, the later ones will implement so much easier.

1. „You are a target“

Make your customers aware, that they are an attractive target for hackers. “It won’t happen to me!” is not valid when thinking about IT security.

2. End-user Training/Awareness (Be careful what you click)

The end-users are the last line of defence. Their understanding of IT security makes all the difference. They can use or bypass any technical security concept.

3. Understand Phishing/Social engineering

The human factor can’t be underestimated. Even security pros have their doubts when facing really good phishing or social engineering attacks. That is only human. Training helps.

4. Don’t leave your device unattended

Basic rule in IT security. People tend to be lazy and “forget” to lock their screen when going for a coffee. Again, that is only human. Make your customer understand, that they have to deliver the purpose of those security concepts, to make users aware.

5. If the company has a VPN, make sure they use it

Well, I don’t know what else to say.

6. If the company doesn’t have a VPN, tell them to get one. Now!

Because you know about the importance of a proper VPN, don’t you? Don’t you?

7. Password Management

Password security is still a huge topic. And an annoying one. Please talk to your customers about a modern approach for the usage of passwords. The government of the UK has some really good material for password management. And it is mandatory to stop enforcing a regular password expiry. Microsoft has published an extremely good paper on password security.

8. MFA

Multi-factor authentication is one of the most secure ways to generate a proper protection. This way only the employee in person is able to unlock whatever is secured by MFA.

9. Backup, backup, backup

A backup is the most effective method to keep your data, even if a secure incident has happened. I know it sucks to get hacked, but do you know what’s even more annoying? If you data is gone. Forever.

I would be happy if I had inspired one or the other to think about IT security concepts again.
Do you have any questions or suggestions? You can find me on twitter (@Gezeitenbrand) or just comment here.

Security
User Adoption
Change

--

--

Michael Roth

Written by Michael Roth

36 Followers

Office 365 Consultant and Service Adoption guy who is really into teamwork and solution-oriented thinking. Modern workplace, NewWork, Digitalization, hell yeah!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams