Process and procedures are just as important as technology.

detailed illustration of a "Cyber Crime" wordcloud on a blackboaA recent article on Wired.com argued that “Cybercriminals are still well ahead of information security professionals. The bad guys are getting better at what they do faster than ever before.” (Here is the original article) This is a real problem that every organisation has to face.

To most organisations, the answer to the digital problem lies in digital solutions. Their only level of protection is in keeping up with the bad guys through better gadgets.   This is no longer enough.   The digital criminals are getting smarter, more brazen, more persistent, and more sneaky, and they’re running rings around all users of cyber space—even the ones with the latest gear.

Data breaches are a regular occurrence of today’s digital life.   Every day we see headlines about which company got hacked, how many records were stolen, how much money was lost, and how long it took the company to notice what had happened.

Most of these hacks are from organisations that have large IT resources, comprehensive second-generation firewalls, teams of people to read the attack alerts, and large financial investment in digital protection. They still get compromised.   They still lose data.

Why is that happening?

Humans make mistakes, and when it comes to digital protection, a single mistake can have a catastrophic impact on an organisation.   I recently saw a video on a hacker compromising an ATM.   He used nothing more than his finger.   The reason why the hack was successful was that the ATM had been left in maintenance mode after it had been filled with money.

There were other mitigating circumstances, but the main reason the hack was successful was a basic human mistake.   The maker of the video tested about 100 ATM’s and found that 5% had this or a similar problem.

This is a serious security issue, but it’s not caused by bad technology. It’s caused by employees who set up or work on ATMs forgetting to switch them out of maintenance mode, or securing them with easy-to-guess default passwords.

This is why processes and procedures are so important to any organisation.   Procedures that are standard, that cover the regular way to do things and must be followed by all employees, are a simple way to reduce mistakes.   Reducing mistakes increases security.   Increased security means that the bad guys may go after easier targets.

If it’s a technology-related procedure in your organisation—whether it’s setting up a new ATM in a convenience store, setting up a work email account, or accessing a confidential client file—make sure that there is a process around it.   This enables a not-so-technical person to do the job.   It also stops the more technical people, who love to cut corners, from forgetting to complete the task correctly.

Want to learn more? Processes and procedures are a key component of our digital security awareness seminars, now available all over Australia.   Check out this page for a seminar near you.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply