Move along if your one of those “self help” guys I usually give a Like to. This will violate your sensibilities.
Assume you will be the victim of industrial cyber terror and your corporate and customer data will be breached, stolen, sold, held hostage, and distributed to a pool of villains in the dark world. This includes client lists, proprietary/trade secrets, pricing, margin, salary, tax, distribution channels, identities, medical records, user id’s, passwords, hash’s, salts, iterations, schemes, and everything else you can think of, and can’t.
Assume your employees will be careless or negligent with your data.
Assume your employees won’t always follow those best practices.
Assume best practices are nothing more than some blogger that doesn’t know as much as he thinks he does, that’s been reprinted over and over until it is a “best practice”.
Assume your employees won’t understand the premise behind the steps of real best practices.
Assume your auditors will never ask the right questions year after year (because the geeks won’t tell them where the bodies are buried unless the right questions are asked).
Assume your auditors can’t keep up with technology (the people who build and maintain this stuff can’t keep up).
Assume the white hat geeks on payroll don’t think the same as the black hat geeks looking for a payday by breaching your systems.
Assume it all.
We are getting much closer to a place where criminals will breach our systems and hold industry hostage. It happens, and more than we know. The events that do happen are just the “proof of concepts”, just the minimal viable products (MVP’s), and like other things, the media doesn’t cover it as it should. That’s right, assume that the company being victimized is going to do everything in their power to keep it under wraps or minimize it as if it never happened.
The more difficult it is to make an honest buck, the easier it is to make a dishonest buck, the more currencies around the world fall, the more corrupt our system becomes, the more turmoil that brews around the world, the more advancements we make in technology … the more cyber criminals like we have never seen before will cultivate and breed.
It’s coming soon, and we need individuals that can protect against the coming criminal tech wave. We need individuals who can challenge those who cannot challenge their assumptions; individuals that do not take comfort in “that’s the way we’ve always done it”, individuals of high integrity. This mindset I speak of rocks the boat, and we’d better start rocking.
For managers that think you can just “hire” or “consult” your way out of it, think again. This mindset needs to be breed from within, at the top and the bottom. We need to shine a light in every dark corner, and add visibility to each occurrence as if it were on the blockchain, without casting shame or blame (except where appropriate). Don’t assume that your architects are on the case, they are just as lacking in this mindset as the next guy. More likely than not, you have small sects of people that think like this, they just need to be empowered and unleashed from the hierarchy that binds them. Assume they have been beat down by the hierarchy and will not come out of their shell easily. These are the folk that know where your weakness lurks.
We live at a time when so many things are going “exponential” or “hockey stick”, or are on a high velocity to exponential. When industrial cyber terrorism go hockey stick, our world is likely to change forever. When that happens, only then will we think as much about the “keeping” what we get as we do about the “getting”.
Mama always said “a pound of prevention is worth a pound of cure”.
Be safe, practice safe crypto.
About The Author
In a past life I worked in the pits, and to some extent I never left them. My mind drifts there. Don’t get me wrong, I place high value in honor and integrity; but at every turn I look for vulnerability. I can recall working for a bank and plotting over drinks how me and my band of fellow employees could render their “dual controls” useless, although collusion or high rank was typically required. Admittedly, over drinks this was fun. But as I got into the software development industry back in the early 90’s, I slowly began to see the many opportunities for e-crime, no collusion, rank, or grift required. Many of those ideas that passed through the dark corners of my mind have come to pass. The ones that are coming are much worse, however, and I do have serious reservations about the era we are close to entering.