According to Cenzic ‘s Application Vulnerability Trends Report: 2014, “While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive tools and practices in place for securing applications.” Faced with a worldwide shortage of Cyber Security professionals (Cyber Security has only recently become a discipline one may major in!), and companies unable to afford the overhead necessary for the requisite training, this situation is not surprising. Bad news for you. Good news for hackers.

Still think you can go it alone? Do you really understand the sheer magnitude of possible vulnerabilities? Here’s a sobering thought: Everything on the network is hackable. Everything—from your corporate computers to a 3rd party vendor to your employees’ Smartphones. Add to this the risky behaviors employees can engage in—sharing passwords, inappropriate web browsing, copying sensitive data onto mobile devices—and you’ve got exposure. Lots of it.

An objective Cyber Security assessment can assist with evaluation and establishment of controls to:

• Implement an information risk management program
• Ensure network security is adequate, including boundary and internal
• Guide user education and awareness
• Verify malware protection and prevention
• Deal with secure configuration and patch management for devices (network, servers, PCs)
• Manage user access and privileges
• Handle incident management
• Assist with home and mobile working

If you feel you aren’t ready to tackle all the items above, you should at least undertake a basic evaluation to consider only the most foundational building blocks for cyber security.

In a survey of its 3,400 global members, Information Systems Audit and Control Association (ISACA) found that although 83% of the respondents recognized Cyber Attacks as among their “top three threats,” only 38% felt prepared to endure one. Make sure you are part of that 38%. If you do nothing else, purchase cyber insurance. If you are ready to take additional steps, we can help.

P.S. On our C4C blog we recently wrote about the fallacy of thinking you are too small to garner a hacker’s attention. I can’t stress the following enough: While big companies more often make the news by getting breached for millions of records, they also have the financial resources to dig out of that hole. Small companies aren’t as lucky. A data breach at a small company can mean closing the doors, for good. Don’t let that happen.

Many companies think because they are small they are immune to a cyber attack—after all, they do not have the net worth of, say, Target ($38B) or Home Depot ($55B) or Walmart ($250B). This is a dangerous misconception. The fact is, whether you are worth millions or billions you are at risk, and your insignificant size might be the very thing putting you in jeopardy.

What makes a small business attractive to hackers? For one thing, smaller enterprises often don’t have the resources to implement the programs and training necessary to prevent, detect, and recover from attacks. Larger organizations do have the resources (including insurance) to weather a breach, but smaller ones may suffer irreparable damage. Another attractive difference is that while larger companies have a more holistic, integral view of IT security that extends across an enterprise, smaller companies tend to have a more myopic view where IT security is relegated to, well, IT. In addition, since smaller companies often have less sophisticated firewalls and detection programs, they may be targeted as a portal for later use as conduits to larger organizations. For example, preliminary investigations indicate that the mess at Target may have been initiated by an employee of their HVAC vendor who opened a malware-laden email. It has been said that you are only as strong as your weakest link, and all too often, that link is human.

Whether you recognize it or not, your organization’s systems and data are exposed in countless ways, including via mobile apps, third party vendors, remote employees, former employees, cloud storage, weak passwords, neglected legacy systems, and social media. In its September 30th report, Managing Cyber Risks in an Interconnected World: Key Findings from The Global State of Information Security Survey 2015, PricewaterhouseCoopers writes,

We also saw increases in attacks on connected consumer devices— such as baby monitors, home thermostats, and televisions— that comprise the Internet of Things, a nascent ecosystem of devices that interconnect information, operational, and consumer technologies. These Internet-connected devices are vulnerable to attack because they lack fundamental security safeguards…

According to Gartner’s 2014 Magic Quadrant for Security Information and Event Management, “more than 92 percent of breaches [are] undetected by the breached organization.”

Are you still feeling invulnerable? No matter how small your organization is, cyber hacking is an equal opportunity threat. As such, cyber security is no longer the province of IT; it is the province of everyone in your organization from the C-suite on down.

Our information security and risk assessment service will help you understand where you have critical risks in your cyber security landscape. If you are feeling uneasy or uncertain about your information security, let us know. We can help.

Over the next few months members of my team and I will be writing about:

• IT Maturity
• Capacity for Change
• Operational Effectiveness
• Measurement and Metrics
• Governance
• Portfolio Management
• Change Management
• Leadership and Organization Development
• Vendor/Service management
• Communities of Practices
• Innovation (my personal favorite)

Where to start? For me it all begins with a good understanding of who you are, where you are, and where you would like to be. And, just as an annual physical exam uncovers potential health issues, we insist on a “IT Health Check” too. After all, how can we know what remedial measures to take without an initial assessment?

Now, it seems pretty obvious that getting an annual check-up is smart and generally contributes to better health, right? Well, how many IT organizations put off a yearly exam and try to self diagnose? Worse yet, how many IT organizations have never even had an exam—you know, an independent review of how they operate? Interestingly, when we do a “Health Check,” we find that most IT organizations today are similar in two respects.

First—and to the seeming surprise of Business—IT is made up of human beings who have the same issues as everyone else: lack of trust, fear of conflict, lack of commitment, avoidance of accountability, inattention to detail, and indifference towards results. Having been in the business some 30 years I can tell you without question that these “soft” skills are just as important as “tech” skills to the success of IT initiatives and operational effectiveness.

Second, today IT stands poised at a crossroad. On the one side are the Business demands: compliance with internal and external regulations, security of information and assets, maintenance of IT architectural integrity and stability, and the delivery of innovative technology. On the other side are the obstacles to fulfillment: a rapidly changing workforce, a lack of leadership expertise, budgetary restraints, the shifting of non-core activities to external resourcing partners, and the fact that every department can make individual hardware and software decisions. The resulting tension and stress on IT cannot be overstated.

Considering these problems along with the scant resources spent on infrastructure, i.e., leadership and management training and development (that soft skills stuff I mentioned earlier), it is no surprise to me that most IT organizations are running full bore and still unable to meet the myriad Business objectives. We refer to this phenomenon as “no capacity to change,” and it is this very inability that is misconstrued as a lackluster attitude toward innovation, the very “innovation” that is supposed to save our beleaguered economy.

The challenges facing IT are complex; I won’t deny that. But they are not insurmountable. And, because this is my first blog, I feel compelled to tell you how deeply committed I am to helping IT employees and organizations work differently and maturely so that every individual and organization as a whole can deliver its very best. I want to give them the tools to work in new ways that are uplifting and rewarding. But most of all, I am determined to help IT gain the capacity to change and to attain its rightful place at the center of business driving innovation. By the way, this is what our consulting firm is all about.

Please check in from time to time. I’ll be here sharing my thoughts and specific ideas about specific issues—it would be great to hear from you too. For now, my parting thought is this: Get checked-out sooner rather than later so that you and your organization can begin to focus on innovation. After all, we have an economy to save.