Hey #infosec,
what's your best answer to people telling you "But we're not a Bank!" whenever you plan to introduce any measure to lower a risk?
1
4
0
John H "looking for work" 
mrclark@infosec.exchange
@Newk
Reminds me of a story a friend told me. He got a call to assist a small manufacturing company that had been hit with ransomware.
He met with the lady who owned the company. Her husband started the company over 30 years ago. Had somewhere around 40 employees. Successful business. Husband passed a few years previous.
This was her husband's legacy. Friend helped and brought in 3rd parties to restore their systems. They lost the majority of their data including customer billing details, plans for their products, documentation, etc going back to the founding of the company.
Took nearly 3 months to "recover". Friend meets with her and she admits they were within about 72 hours of shutting the business down permanently. Bye bye husbands legacy.
So he starts talking to her about cyber security planning, etc. She tells him she's not interested. She figures that since they survived this then they could get through it if it happens again.
He lost his shit with her and basically told her never to call him again.
1
1
0
buherator
buherator
1
0
1
I agree that your risk assessment decides which measures to take. True! And I'm always willing to discuss the risk.
But what "triggers" me is the "killer argument" that we aren't a bank. The last decade has shown that you don't have to be a bank to get financially motivated attackers to pwn you.
1
1
0
buherator
buheratorIt's more important to make people realize that they have shit to loose: enumerate critical assets, create estimations what damage can be done (which is what banks do as part of their compliance process). Many businesses (manufacturing is a typical example) don't realize how much they rely on IT these days.
1
1
1
