Learning from others
David Spinks
Moderator of Cyber Security and Real Time Systems & Global Digital Identity Groups
In the last 48 hours I have spent time reading and understanding the contents of two 2 white papers. One on planning and design of data centres another on advice and guidance on mitigating and responding to Ransomware. These documents were written and published by household names (big companies). Both documents came under the same heading weak and missing large chunks of information in one word "rubbish".
Both of these companies know who they are as I took the time and effort to message a number of executives of those companies who are my first level Linkedin contacts. One company has at least acknowledged the need to "have a look" at the published document. Neither company thanked me for taking the time and trouble to write to them (even if my help and advice was misguided).
So what can "WE" all learn from this experience. Firstly senior executives often think they know best and accept that not everything the company does can be perfect. Well in my opinion both these documents were so bad as to potentially damage both companies reputations. Because the topics of the white papers were focused in areas directly related to those companies primary (supposed) strengths.
Another lesson is the fact that however many warnings are given by those who know best (FCA, ICS, FEDS, NCSC and FBI to name a few) many executives simply are too busy to take notice and continue to bury their heads in the sand. Clearly these executives do not care about recent fines issued by the ICO or the damming contents of reports on breaches of EasyJet, BA, Marriott and Ticketmaster.
Some of my friends and associates Andy Jenkinson and John Walker have also, in good faith, also been issuing similar warnings to organisations they see as also having weaknesses in their security postures.
So I hope both of these companies begin to learn from others who take the time and effort to communicate possible vulnerabilities in their defenses and weaknesses exhibited by publishing BAD white papers. In this case however, my fear is that what we will actually see is press reports in the near future, relating the news that these companies (who have chosen not take notice from advice and guidance) themselves have suffered major security breaches.
Only time will tell if my prophesy comes to pass. Only I and those companies will know.