Too long ago I spent about a year at the Georgia Institute of Technology in Atlanta, continuing my university studies. Shortly after arriving, the person who was in charge of campus security gave us a talk in which he congratulated us on the fact that Atlanta was no longer the most dangerous city in the USA, but the second most dangerous (we are talking about 1999). He also warned, with emphasis on the younger ones, to be careful with the illusions of immortality typical of teenagers, to avoid unnecessary risks and to adopt certain safety measures.
I have a feeling that this kind of illusion applies quite adequately to many companies. In general, the thinking that still prevails in many organizations is the familiar one: it can’t happen to us. The equivalent is the one who gets in the car thinking that accidents happen to everyone but him and ignores seat belts and any “reasonable” speed limit.
However, there are two undeniable facts. The first is that accidents still happen. Fortunately, they are fewer and fewer and rarely serious, but the statistics are there. The second is that accidents are decreasing thanks to the safety measures that are being designed and implemented and not because of divine intervention: seat belts, airbags, traction control, ABS, stability control, deformable bodywork, rigid cockpit, etc., in addition to the various awareness campaigns.
The point is that are still too many companies in the teenager age of the digital era. They think that no matter what they do, there is no danger: that encryption is for paranoids, that Peter1976 is a valid password, that the lunchroom is as good a place as any for the corporate server, or that paper shredding is not so essential.
Little by little, some of these companies will mature and understand that risks are real; they will implement security controls and assume not only that sometimes accidents do happen, but that it is necessary to implement measures to prevent them from happening. That, as it happens with driving, they are exposed not only to attackers but also to trusted companies that maybe do not take these security measures (an aspect that gives us another entry: the need to understand that your insecurity affects others). Other companies will end up learning the hard way and finally -and here we will leave aside the simile for obvious reasons- some will have to close down.
Does a car in good condition, with reasonable safety measures and responsible driving guarantee that we will not have accidents? No, unfortunately not. But it does make them much less likely and significantly reduces their consequences. The same goes for digital security.
Perhaps this post has seemed unhelpful to you. If so, think about road safety awareness campaigns. Do you really think they are useless?