Can technology make you less safe from cyber-threats?
I mentioned before that too much technology can be detrimental to your information security goals. In the insurance industry, there is something called moral hazard. Moral hazard is where an insured person takes more risks because the potential costs of such risks are taken care of by another party.
This also happens with IT security. Think about yourselves for a moment. You feel safer with anti-virus software and personal firewalls installed on your PC, and as such you may browse more “freely” on the Internet. Yes, your risks have decreased, but the additional risky behaviour – unsafe browsing in this case – may now increase your risk of being affected by malicious software.
I’ve seen this with many organisations. They’ve implemented some of the best security, but still have security breaches, by sometimes the simplest infections. This often causes them to doubt the effectiveness of the products and to then get more security products to address the perceived weaknesses. What had instead happened was the users had come to expect that they were protected from such risks. Even the IT department is sometimes lulled into a sense of security that they don’t consistently follow the required practices to keep their network secure.
So do you have a technology problem? Are you so dependent on technology that you have put yourself and your organisation at risk?
Consider the following statements:
- You think that technology is the only way that you can protect your information assets.
- You constantly purchase the newest and latest security technologies to protect your network without reviewing whether the risks they address are relevant to you, or have already been addressed.
- You have multiple technology tools that perform the same type of task, e.g. multiple anti-virus products, because “one may detect malware that the other didn’t pick up”.
- You are unaware of what your IT and business risks are and/or you cannot identify what your critical servers and services are.
- You think that as long as you are compliant to regulatory frameworks or standards your network is protected and your information is secure.
- You and your users expect technology to do it all for you.
If you’ve answered “true” to even a few of these statements, then you may have a technology problem. You should reassess your mindset and beliefs about information security before you have yourself, a moral hazard.