Lack of compliance, weak links, and shirking responsibilities — these are some of the reasons for common security fails. The fact remains, most security breaches are preventable. Or, at the least, they should be. It’s not easy to create a dynamic process and implement procedures and measures in an environment with people and facilities already in place.
Now, corporations often pour hundreds of thousands, millions, or even billions of dollars to integrate a foolproof system that secures assets, data, and people. With this large of an investment, we expect the security system in place is reliable.
However, it’s a difficult job, given that designing security procedures often doesn’t begin with a blank slate. Not to mention, the mission of any protection operative is to safeguard their principal, other employees, and assets of the enterprise included. What’s more, such a short-sighted view may result in the security personnel exposing themselves.
And when a significant loss or act of violence occurs, blame usually centers on the organization’s security department. Especially, when there is plenty of responsibility to go around — from administrative to the executive level, and even regular employees.
Additionally, what happens when that weak spot is within a corporation?
Security programs fail when they are poorly designed or when they are poorly executed. Clients must seek advice, either by employing internally or contracting externally, from genuine experts and heed the advice in terms of actioning recommendations.
Unfortunately, physical security budgets are often fractions of their project cousins in cyber security. Clients must beware of who they rely on, like in any industry.
Many private security providers only provide labor and do not or cannot deliver security solutions. Auditing security systems through penetration testing and reviews should be periodic and follow any major environmental changes.
– Josh Reeve, Chief Security Officer, Empire Protection
Weak Links and Security Fails
An axiom we often hear, a chain that is no stronger than its weakest link, remains as relevant as ever. Knowledge about the weak links in your organization is vital as all systems have one. It just might not be that obvious.
A lot of security is like this. An apt threat actor attacks a system at the most fragile countermeasure they can find. What’s more, finding a weak link is difficult, and securing it may not be worth the trade-off, so to speak.
You want to work towards ensuring no single vulnerability can compromise the company’s security system. Military defense strategists refer to this as the position of the inferior. An approach where security personnel remains alert at all times while considering every possible attack that may occur.
On the other hand, an attacker need only choose one method of assault. For them, it’s more a matter of finding the right moment when guards aren’t alert. The truth is, these circumstances overpower security operatives, and often. There’s no possible way to safeguard against all possible attacks all the time. For example, if an officer reacts a second too slow or fails to investigate what they assume to be a meek-looking object.
What it really boils down to is minimizing the problem the weak link causes. And to do this you implement a complex system that makes it hard for an attacker to do their job. Along with avoiding haphazard security improvements that focus too much on recognizing a problem and then fixing it in isolation.
Ineffective Strategies, People, or Equipment
In order to improve security, disorganization has little strategic benefit. Not to mention innovative thinking and strategies may backfire without the placement of appropriate guidelines. There needs to be a detailed security analysis on an ongoing basis to ensure the improvements put in place are where they’re most needed.
Far too often, unprepared people are tasked to do a job they’re not trained for is unnecessarily risky. Other times, due to budgeting issues, corporations staff an insufficient number of officers to cover the level of security required. Then there’s the issue with the efficiency of these essential security tools.
Recent media reports claim tasers are less reliable than we might think. According to an APM Reports investigation, in 258 cases over a three-year period, a taser failed to subdue a person who was later shot. So why is something created to help officers protect themselves without the use of lethal force so unreliable? Well, police officers themselves rate the new models of tasers as considerably less effective.
We can’t place the blame solely on the equipment. A lot has to do with human error. For a taser to work as intended, so much has to go right. The officer has to hit the target with both barbed darts within an inch of skin and at least a foot apart from one another to create a complete electrical circuit, thus safely encapsulating the person.
Worldwide, many patrol officers carry tasers, becoming a ubiquitous law-enforcement tool. Are officers trained well enough to effectively use this essential tool?
Security Fails Due to Human Factor
Whenever you’re dealing with protection, it’s nearly impossible to control human error and risk. First of all, a major problem is that many people are stuck in a fairly traditional mindset – one that’s reactive rather than proactive. Especially when dealing with compromised security systems.
Far too often, employees and misconfigured systems do the heavy lifting for attackers. Many people frequently rely on default passwords or simple, breakable passwords, and employees fail to update software. In addition, they believe simple techniques like antivirus and firewall installation measures provide sufficient protection.
At a granular level, employees may invalidate the benefits of regular red and blue team exercises. The reason mainly has to do with how the C-suite is communicating vital information to their staff. And how they’re reinforcing safe system behaviors.
Then there’s the issue of malicious insiders, a top threat to any organization. Insider threats originating from those trusted to protect are not an anomaly. They’re not inhibited by cyber defense policies, but rather yield direct access to the system and sensitive information. This means the establishment of an insider threat program to counteract subversive security fails.
Where Does Responsibility Lie?
Today, security functions largely as a centralized system, meaning the exclusion of staff when new products, services, and processes are integrated. Among other things, this involves some level of security risks. And when something does eventually go wrong, most everyone shirks away from the blame. Who wants to take accountability for a bad outcome?
To tackle insider threats and foster a culture of accountability, C-suites and security leaders need to put employees as a top security priority throughout their organization. This means human resources, talent development, legal, and IT teams work closely with the security office and unit.
Almost everything starts with strong leadership. Whether it be intensive training and education or the implementation of strong security solutions that help prevent the problems from happening.
The shirking of responsibility helps no one. We need to galvanize those in the security world to be more proactive about risk assessments, identifying existing weaknesses, and implementing strategies to fix them. But not haphazardly and not in isolation.