President Ronald Reagan made the phrase “trust but verify” famous in the late 1980s. But he didn’t originate it: The phrase is a Russian proverb he learned from American writer Suzanne Massie.
Technology is not easy, plug-and-play, or bulletproof, and it should not be taken for granted. While it vastly expands your business capabilities, it also requires more knowledge and expertise to work for you instead of against you.
Blind trust that “the system” is working, is protecting us, and is stopping attacks is misplaced. In fact, the effectiveness of any tech is directly proportional to how well managed it is.
Here are three examples:
Of course you have backups, right? Having a backup is a necessary firewall against ransomware, critical for disaster recovery, and important for the everyday occurrence of deleting a critical file unintentionally. But having one and being able to restore from one are two separate issues. Lots of things can happen to corrupt backups, including drive failures, configuration changes on either a source or target location, physical damage to media, and drive failure. Oh, yeah, and human failure.
Because none of these possibilities is a thousand-year-flood-type scenario, there are a couple of best practices you should be following — like maintaining a local backup kept offsite (yes, even if you back up to the cloud), and having redundant cloud backups (or local backups, if you do these internally) in the event of system or server failure. Stuff happens.
But the top practice most businesses fail to follow is periodic restores from the offsite backup, which includes restoring files from the backup and then opening them to ensure they are viable. Along with that, make sure your cloud backup provider has current contact information for whomever they are supposed to notify if backups fail.
There’s nothing more dangerous to your business than the set-it-and-forget-it approach.
2. Cyber Security
You’ve got a firewall, intrusion detection, virus protection, a VPN, and a great IT team, so you can sleep soundly at night, right? Wrong. Not unless you got rid of all your staff.
Every company that has ever been hacked had all those things and more — SONY, Anthem, Target, Experian, the IRS. They were not hurting for financial or IT resources to put into technology. Yet they were all hacked (the IRS several times).
The greatest danger to any business is authenticated employees who open the door — every time — to let the hackers in. The best network gear can stop about 90% of phishing emails. That means 10 percent get through, and Verizon’s 2019 Data Breach Report says that of those, 18 percent of users will click on a malicious link or download.
The solution is not better network gear. It’s primarily understanding the way your employees actually work and how they may be circumventing security barriers (creating shadow databases, using unauthorized software or apps, removing work from secure locations to take it home to work on) in order to get their work done. Second, it’s working with your employees regularly to ensure (not assume) that they understand the risks and can identify (or verify) an email before clicking. And finally, publicly recognize and reward your employees for being the first line of defense of your company. That all takes time and human effort, not necessarily a big financial commitment. The more personal the effort, the better the result.
This is a flashpoint in conversations both personal and professional. Businesses have both a legal and ethical responsibility to protect any customer information in their control. That can include online contact or sales forms, customer service data, and account information. Facebook recently took yet another reputational hit when it was discovered that unobscured passwords were left exposed in an online database.
The situation gets complicated when mobile devices and apps come into play, raising issues of location awareness, passwords, PINs, biometric information, and more.
Best practices: Don’t collect what you don’t need, know where all the data is maintained, review the maintained data on a regular basis, and consider inactivating unused accounts. I recently logged into a site I hadn’t been to in more than five years. My account, including my credit card (now expired) was still maintained in the database.
Businesses don’t want to ever give a customer an opportunity to opt out. But the privacy climate being what it is, a periodic communication to lapsed customers (maybe those who hadn’t logged in, purchased, or interacted in more than a couple of years), asking them to update their stored data as a security measure, could be well received as a proactive protection measure. Eventually, those abandoned accounts should be deleted or put into cold storage as a security measure.
The collection and maintenance of customer data must be important enough to warrant human intervention and critical evaluation. You can see that even major global players that utilize advanced AI and programmatic algorithms — like Facebook — fail when they put trust, without verification, is technology alone.