Here in the Northeast, we’re dealing with tons of rain. If I correctly understood what the local news stated yesterday, this has been the wettest March on record for the Greater Boston region. The evidence is everywhere. As I walked my Bernese mountain dog Max this morning, I saw a number of houses still pumping a lot of water out of their basements. My previous two houses were like a scene out of “A River Runs through It” every time it rained heavily. While I am happy my current house is less prone to infiltration in the basement, I do feel quite bad for those who are not so fortunate.
As I was preparing to leave home for work this morning, one of the local news affiliates was reporting that there was a rash of scammers in Boston who were posing as inspectors for a fake Boston/MA water damage assessment/relief team. They would come in and begin a damage assessment and if the homeowner left (presumably for work), they would steal thousands of dollars worth of items from the home.
What is it with natural disasters? Why do scammers come out of the woodwork at such devastating times? The answer is quite simple. Many people are unsuspecting, are trusting of others without question, and just don’t believe something so awful can happen to them. Many fail to think clearly about what is asked of them, and the impact of what could go wrong if this person is not who they say they are.
And this very reasoning is why auditors, consultants, and other service providers speak ever so loudly regarding the notion of Threat Assessment, Risk Management, and Enterprise-wide Vulnerability Assessments (three items from a very long list).
What factors are generally at the core of an organization which suffers a data breach? Clearly, there are hundreds of possible factors. However, I would argue that just like the homeowners noted above, a breached organization is unsuspecting, often too trusting, and just doesn’t believe something so awful can happen to them.
What is an unsuspecting and trusting organization? Perhaps it is one that has not performed a vulnerability analysis in a long time (or ever). This organization has been doing business “the same way for years”, and believes they have adequate controls in place. This organization also may not truly understand the benefits of implementing certain controls simply because they are best practices. Without a doubt, even if a control is a best practice, it may not be feasible for all organizations. I get that. But the critical success factor here is whether or not the organization is even trying to determine where their weaknesses are.
Perhaps this “fictional” organization also doesn’t communicate well internally. Sure, there may be risk assessments being performed in various locations within the company. But at what level are they being performed? Are individual business units performing their own assessments? Are the results of these assessments being communicated to a central risk management body for prioritization/action? Failure to communicate this information when it is collected and available is akin to an NFL player walking onto the field without pads. You know you shouldn’t, but you do anyways, and you will get hammered pretty hard as a result.
Organizations have powerful tools at their disposal to become well governed entities. But individuals and homeowners do not. What is a homeowner to do? How does a homeowner prevent a situation where another person (i.e., an insurance claims adjuster) questions their common sense? They need to think of their home as if it were a business entity. They need to put themselves in the shoes of a senior executive and ask:
“What can go wrong?”
“Which of my assets can I do without?”
“What actions must I take in order to mitigate my concerns and to protect what is important to me?”
The age old adage “when it rains, it pours” it quite apropos these days. Homeowners have a lot to worry about. Businesses have a lot to worry about. Homeowners, cities, towns, countries…they all seem to be dealing lately with a great many natural disasters. So too are businesses. They just take a different form in the business world. People can hold an umbrella when it rains. Businesses can too. But the corporate umbrella takes the form of threat management, risk management, and sound governance.
We all need to open the umbrella sooner than later, and often. There are many threats facing us now, and many more are likely to come in the future. We all need to be ready.
- Jeff Bamberger