How Secure Can Your Company Be?

Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.

One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.

Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.

This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?

Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.

In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?

Inbox Zero? Why Not Inbox Giganticus?

We hear lots about “Inbox Zero” and why it should be the goal of every business professional. The purpose of emptying one’s mailbox, according to the proponents of this approach to mailbox management, is to eliminate clutter, get better at prioritizing tasks, delegate work to others, de-stress, gain more control over one’s information, or some combination of these and other factors.

But is it a good idea?

Yes, if you view email solely as a communications platform. No, if you view email as a combination of communications, file transfer, file storage and business intelligence. I fall into the latter camp — here’s why:

  • Email storage is cheap: from a cost perspective, there’s no advantage of minimizing email storage in an era of 50-gigabyte or larger mailboxes.
  • Keeping old email is useful: you can search years’ worth of email quickly and easily to retrieve old communications with clients, colleagues, prospects and the like. You can see what files you sent others and when they were sent. You can easily resend information that was not received by a recipient. You can follow conversations in email to see how they develop. You can determine how quickly people respond to your emails. Yes, all of these things can be done with a good archiving system, but not all businesses have an archiving platform (even though they should), particularly small businesses.
  • It can make you more efficient: instead of spending time reviewing, filing, deleting or otherwise managing emails on a daily basis, you can simply ignore the less important ones until you have the time or inclination to deal with them. Moreover, you can deal with some types of emails in batch mode on a weekly or monthly basis instead of handling each email individually every day.
  • You have a defensible a record of your conversations: in the event that someone disagrees with your record of what happened with a client or a vendor, for example, an email thread can easily support your position and quickly resolve any disagreements that might occur.
  • It saves you time: even if it takes only three seconds to deal with each email, someone receiving 150 emails each work day will save about 31 hours per year by not clearing his or her inbox each day.

Just my two cents for your consideration.