I’ve been doing IT for a long time – a healthy chunk of that within the AED industry. There’s a bunch of variances that set apart the AED world, both within IT and without.
One of my favorites is how open most firms are. They’re open internally – “we want all staff to be able to see all projects” and they’re open externally – “sure, yes, let’s share what worked or didn’t work with them”.
A deeply cynical person might say that these are due to the desire to easily shift labor resources around, and to maintain the “keeping-up-with-the-Joneses” culture that’s fairly prevalent.
But as cynical as I am (I make Diogenes look like an optimist), I don’t buy those reasons. Leadership I’ve dealt with do want to make project information widely available, for all sorts of reasons. They do want staff seeing different approaches, different methodologies. Hell, many firms spend thousands every year sending people to Knowledge Management conferences, which, to be honest, I *am* deeply cynical about.
They do enjoy sharing information with other firms. The associations I’ve been part of – AECIT, LFRT, etc., have been a great resource due in large part to the willingness of firms to be open about things other industries would jealously guard.
I am going to make some general statements here. They’re all worthy of commentary in and of themselves, but here, they’re just laying the context for the security vs ease of access conversation.
- Most firms follow a traditional career ladder system, where leadership is comprised of older (50+) staff.
- Those who were born prior to the Internet, in general, have a harder time adjusting to new/different technology.
- C-suite individuals, whether in AED or other verticals, have a bottom-line approach and don’t like to be mired down or impeded when trying to do their job.
- AED firms tend to govern by consensus rather than mandate. (Engineering firms are a *bit* more ok with mandates than Architects/Designers, but not by much.)
Just putting those out there. There is no judgement attached, but if you disagree with me, please let me know – I’m always keen to hear other takes.
For the first 10-15 years I spent in AED IT, nobody really cared about security. Let’s be honest. Do we have the basics covered? Yup? Ok. Moving on. Any security discussions were had post-event, never before. And if they did, they were brought up by IT, not leadership. The problem was, that proactive conversation was always had a cost component (we need better A/V-Backups-Firewalls-etc). And explaining how big a risk there is between using Defender ATP vs. Webroot is *really* hard to explain, let alone explaining that doubling your expense is worth it.
So firms would be lax on anti-virus, and then there’d be a virus, and then the anti-virus would be an important expense. And then there’d be a virus from email, so anti-spam/email anti-virus became a big deal. But in general, when IT expenses result in *soft cost* savings rather than *bottom line* savings, it is hard to get AED leadership on board. Which I don’t think is purely unique to AED, but when you’re dealing with people who *always* think about the bottom line, project budgets, profitability, resource planning – the concept of soft costs is even a bit more ethereal.
But that has changed in the last five years, just a bit, and *really* has changed in the last two years.
Obviously, the anonymity Bitcoin provides is part of it, but really the explosion came with the massive increase of Office 365 migrations. When email is hosted with Microsoft, it is very easy to just attempt to log in as a user. *Everyone* gets their webmail by going to outlook.office.com.
So if your work email is floating around out there – be it one scraped off the company website, or one used on a different site that was breached – the attackers now have 2 of the three items necessary to get into your mailbox. 1) “where” it is on the internet. 2) your username. The last third comes down to your password. As you might expect, this is not as hard as you might expect. The need for dozens of accounts for various websites means people keep passwords simple, keep passwords for a long time, and use the same passwords on a bunch of different sites.
This is why MFA (multi-factor authentication) is an *absolute* must have. No discussion. No “but this, but that”. No. Shoosh. But across our industry, IT continues to run into roadblocks concerning MFA and security in general.
There is a one-to-one correlation between security and ease of access. A great example of this is MFA. Before it was, go to website, punch in username/password, hit go. Now it is go to website, punch in userinfo/password, get an MFA prompt, get your phone out, get a code, punch the code into the site, and go. There’s a dozen variations on that, but it can be a hassle.
This goes into all aspects of internal security as well. Restrictive permissions on a project? “Why can’t I go there?” Requiring passwords on file links sent via email? “Why can’t they just click it?” As security increases, access decreases. To increase ease of access, you lower security.
The true trick, the true slight of hand for IT, is to attempt to increase security to a decent level with the minimum of headache for end users. Because there isn’t a lot of buy-in, especially at the leadership level. Yes, you can implement MFA, but not for the C-suite. Well – they’re the ones who need it most. I can cite a dozen instances over the last two years where firms have lost money due to impersonation via email.
So if you are in leadership, please take these suggestions onboard.
- Set the example. It is hard enough to enforce security measures of any stripe if others know you’ve decided to ignore it.
- Understand that email impersonation fraud is the #1 risk right now. If hackers encrypt your files, you can go get backups (or pay them off). There is *no* backup of your bank account.
- Many of the frauds that occur happen because there is no secondary verification. Almost all of the frauds are “this is urgent, I need this asap!” requests. Train your staff that when any email is received with a nonstandard request regarding money in any way, especially if it is urgent, to have them *call* the originator. It takes ten seconds. If it is a legitimate request, it shouldn’t bother the requestor. Another step? Yes. Important? Very.
For the AED IT folks:
- Don’t give up when security is concerned. Your obligation is to the best interests of the firm, and if that means sounding like a broken record, so be it.
- Try to right-size your security stance with what your firm does. Firms with DoD contracts, for instance, will require a unique posture.
- Don’t stop with MFA. There are many items you can take to increase your O365 security, not the least of which are Conditional Access rules and some other fairly straightforward policies which don’t necessarily impact end users directly.
In summary – I think everyone gets it. We work in a culture that strongly values openness and sharing of information. But we need to figure out together how to accomplish that while still protecting the firms we work for. If that means another 10 seconds out of your day, or a small fractional increase of the IT spend, so be it.