On a recent interview about the Titan sub
catastrophe, director of the movie Titanic James Cameron, who has made
33 successful dives to the Titanic wreckage site, pointed out that this tragedy
is eerily similar to the 1912 Titanic disaster: the captain of the 1912
RMS Titanic was repeatedly warned about ice ahead of his ship, yet he plowed
ahead at full speed into an ice field on a moonless night, resulting in the
deaths of over 1,500 innocent souls.
The captain of the sub Titan and CEO of the company
OceanGate, Stockton Rush, was also repeatedly warned about his vessel’s safety,
lack of certification for the vessel’s integrity, lack of a tracking device
(think airplane black box), their experimental approach to deep dives (despite
the fact that this is a very mature and well-understood practice) and lack of a
backup sub. He also proceeded to plow ahead at full speed, taking people in an
extremely unsafe vehicle, which resulted in the deaths of innocent people. If
there was ever an example of willful negligence, this is it.
When it comes to IT security and compliance for small
business, this kind of willful negligence is rampant. Sometimes it ends
with an abrupt, catastrophic “implosion,” as with the Titan, where a
company is destroyed by a ransomware attack, operations shut down, unable to
transact, employees and clients harmed and their reputation tarnished.
In other cases, the risk is there but hasn’t been addressed
because nothing bad has happened – yet. Willful negligence in IT
security and regulatory compliance to data privacy and protection comes in
three forms.
The first is willful ignorance. Some people running a
business are young and inexperienced, too new to the business world to
understand the risks they are incurring by failing to protect their clients and
themselves. They don’t know what they don’t know. Often, they are being advised
by the wrong people – an IT firm that knows how to make their tech work but
lacks the expertise to implement good security protections. You kind of can’t
blame them for getting it wrong initially, but at some point they’ll get
smacked with a cyber-attack and learn the error of their ways the hard way.
The second type of willful negligence is willfully
foolish.
This group CANNOT claim “ignorance” as their defense. They
KNOW they should be protecting their business and their clients’ data from
cyber-attacks. They’ve heard the stories, they know the laws and may have been
warned by their IT company or person, but foolishly believe “that can’t happen
to us,” or choose to assume they’re “fine” because they are using a cloud
application that promises compliance (which is correct for THEM, not
necessarily for YOU). They trust but don’t verify that their IT person or
company is actually doing what they’re supposed to, and often lack cyber
liability insurance, choosing to take the risk because they’re cheap or can’t
be bothered.
The third type of willful negligence is, in my opinion, the
TRUE meaning of willful negligence and the most immoral and unforgivable. Determined
negligence. These people stubbornly insist on continuing to operate
without proper security protocols in place, without a disaster recovery plan,
without any insurance, without assessing and inspecting their environment, refusing
to acknowledge ALL facts, history and evidence to the contrary. They
know they are acting irresponsibly but don’t care.
After the tragedy of the sub, multiple experts came forward
to point out all the risky behaviors Rush was allowing. The hull had not gone
through any type of cyclical pressure testing or thermal expansion and
contraction testing. The hatch could only be opened from the outside and not
the inside, which wouldn’t allow them to escape if needed in the event of an
emergency – one small fire inside would have been catastrophic. No atmospheric
system to monitor interior gases such as oxygen, carbon dioxide and carbon
monoxide. No emergency air breathing system. The viewing window was only
certified to 4,000 feet, not the 12,500 feet of the Titanic wreck. But
the most egregious of all was an egotistical assumption by the CEO that he knew
better than everyone else around him.
I wonder if he put all of this in the brochure and explained that philosophy to the
people in the sub who lost their lives that day.
Everyone makes mistakes. Everyone has a moment in their
lives when they place trust in someone they shouldn’t. Everyone has blind spots,
and we’re all ignorant and misinformed about something. The question is
do you STAY willfully ignorant or foolish to the point of being determined
to hold steady to your course of action to the point where you not only do harm
to yourself, but to others as well?
If you do, it’s only a matter of time before you have your
own ship sunk, your own personal Titanic-size wreck. Sadly, if you’re
the CEO of a company that holds financial data, credit cards, medical records,
tax returns, Social Security numbers, birthdays or even the contact details of
your clients OR employees, YOUR willful negligence in cyber protection will
absolutely harm others.
This doesn't mean that all those who are veering towards
that proverbial ice field can’t change course. Hopefully this entry in The
Werks stirred within even those with the hardest of heads to take a different
tack. If your business is important to you.. and as a business owner, I know it
is.. it’s not too late. If you are ready to steer away from the iceberg, get on
our calendar to discuss your options by clicking here.
No comments:
Post a Comment