Jun 9, 201612:40 PMOpen Mic
Send us your blog for consideration!
Odds are, your company is committing this fundamental IT 'crime'
(page 1 of 2)
No one should be surprised Panamanian law firm Mossack Fonseca was a recent target of hackers. Hackers want sensitive data, whether it’s engineering drawings, customer credit card data, or — in the case of the Panama Papers — the financial secrets of wealthy international clients.
Given Mossack Fonseca’s obvious appeal to hackers, how is it possible that the firm’s information technology department failed at so basic a level to protect its data?
I suspect the same two reasons many businesses in Madison and throughout Wisconsin fail to protect themselves from modern threats: First, complacency about keeping software up to date. Second, too little focus on point-of-use security measures (that is, end-point protection as opposed to perimeter security such as firewalls).
How could Mossack Fonseca’s IT department act with such complacency to run versions of WordPress and Drupal, two popular open-source platforms for web content management, that had known security vulnerabilities for as long as two years?
Extending that question further, why are businesses so commonly complacent about updates? I think it’s a persistent symptom of the “Does IT matter?” malaise that affected a portion of the IT industry in the years following the dot-com crash. Specifically, certain new topics — especially ones with their own memes, such as “Big Data” — get attention and budget dollars. Whereas core infrastructure and operating system updates — that is, the basic blocking and tackling of IT operations — get short shrift.
Often IT leaders know this. They lament they can’t get the budget to update old software that won’t run on modern operating systems — as a result, they just don’t update the operating system. They worry their way through building out new mobile capabilities for employees to check email from any device, anywhere, knowing the increased risks but unable to act to deal with modern risks using modern tools. A prime example of the tension between user access and IT control is the impetus for Hillary Clinton’s basement email server — according to news reports, her unwillingness to use anything but the Blackberry smartphone to which she had grown accustomed.
Sometimes, apart from these inherent tensions, IT leaders fall into traps of their own making. They know they’re running effective perimeter security measures — such as firewalls and even new automated threat detection and prevention devices — and think that makes them safe. The problem is that hackers adapt, too. It’s now very difficult for hackers to get network access without masquerading as legitimate users. So, of course, they focus their energies on getting legitimate credentials and then building up their access rights once inside. That’s what happened to Target, Home Depot, and others.