Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 12

Retail loss prevention and dive instruction have clearly created comprehensive strategies for preventing and mitigating loss that accounts for human error and malfeasance. Unfortunately, many industries, and ironically even many practices within the same industries that are otherwise relatively secure, are not dealing with human error well. For example, Target, which generally has an outstanding loss prevention practice, failed when it came to a data breach where 110,000,000 credit records were stolen.

When an organization fails to account for humor error and malfeasance, and fails to put in sufficient layers of controls, the losses can be devastating. When organizations fail to implement an effective process of risk mitigation to account for user-initiated loss, there is a great deal of blame to go around, but organizations tend to point to the “stupid user” who made a single error.

No case is more notorious for this than the massive Equifax data breach. When Richard Smith, former CEO of Equifax, testified to Congress regarding the infamous data breach, he laid the blame for the data breach squarely on an administrator for not applying a critical patch for a vulnerability in a timely manner. Not immediately applying a patch is not uncommon for organizations the size of Equifax. However, a detailed investigation showed that there was a gross systemic failure of Equifax's security posture.

After all, not only did Equifax allow the criminal in, the criminal was able to explore the network undetected for six weeks, breach dozens of other systems, and download data for another six weeks. The attack was detected only after Equifax renewed a long-expired digital certificate that was required to run a security tool.

This type of scenario is common in computer-related incidents. Whether it is the failing of an individual user or someone on the IT team, a single action, or failure to act, can initiate a major loss. However, for there to be a major loss, there has to be a variety of failures to allow an attack to be successful.

Similar failures happen in all operational units of organizations. Any operational process that does not analyze where and how people can intentionally or unintentionally cause potential loss enables that loss.

The goal of this book is to help the reader identify and mitigate actions where users might initiate loss, and then detect the actions initiating loss and mitigate the potential damage from the harmful acts.

Just as the diving and loss prevention industries have figured out how to effectively mitigate risk arising from human failures, you can do the same within your environment. By adopting the proper sciences and strategies laid out in this book, you can effectively mitigate user-initiated loss.