For Want of a Nail
The past few months have been one of challenges and threats and, for some, devastation. Natural disasters and IT security threats have taken the forefront recently but of course there is also, and always will be, increased regulation and public scrutiny. Being a stake holder of a regulated business is a great responsibility in today’s world and feels much like climbing a mountain of loose rocks. We search desperately for a solid foothold only to feel the ground constantly slipping beneath us.
In recent weeks SILO Compliance System attended two conferences. The first on IT security and the second on anti-money laundering and compliance regulations. Both provided awareness of the loose ground at our feet and good advice for actions we can take when we return to our offices.
Taking action is key to climbing the mountain. The falls that our friends, colleagues, and even competitors have endured the past few months are experiences from which we can all learn. We share knowledge at these conferences. But that knowledge is useless without action.
The knowledge shared in conferences should not just have us acquire continuing education hours, but should spur us to action. Every delegate, after a conference, should be meeting with his/her managers to summarise their knowledge gained, review now known threats to the organisation and start planning how to mitigate those threats and how to respond when the threats become our own reality.
At the IT security conference, the quote by Benjamin Franklin was on the screen as the Equifax data breach was explained. By now we know that the breach that impacted millions and cost the careers and reputations of senior managers was due to a system patch not administered in a timely manner.
For those not familiar with IT security, system patch administration is the equivalent of fixing a broken lock on a door. Once you notice the broken lock, immediate repairs must be made to prevent someone walking in and stealing your most valuable asset – the confidentiality, integrity or accessibility of your data. Something so small, a patch, was the result of the data breach. It seems that Equifax lost the kingdom for want of a nail.
What action should we take with this knowledge? Answer: ensure we have adequate nails – that we have properly resourced our staff with the tools and skills they need to have a foothold on the mountain so they too can protect the business.
What actions have you taken the past 30 days to strengthen your foothold as a stake holder in your business? Have you reviewed your business continuity plan? Do you have evacuation plans in place for employees in all jurisdictions? Do you know which of your business process and people are most critical to continue serving your clients? How long will it take to get minimum business services back online? Do you fully understand which employees have “the keys to the kingdom” i.e., your client data – and are there adequate systems in place (1) to protect them and (2) to protect you from them? Do you understand fully your IT defense systems and back-up procedures? Have you planned implementation of new data protection regulations in each of your jurisdictions – including updating your work flows and your software systems? Do you have written procedures in place for when a data breach is discovered?
Planning is only the first step in prevention and response in disaster planning. Testing and drilling are also critical aspects of the climb. There is a reason militaries drill constantly. Because as many of us now know having endured recent natural disasters, when the stress is on, it’s difficult to function mentally and make good management decisions. If drilled properly, and often, we can respond automatically when the ground beneath us shifts.
There is a way to gain a foothold in this mountain we climb. We can learn from others, stay aware, share our knowledge, take action to mitigate risks – and continue the climb.