“We’ve got that server in the closet that runs these software applications we use every day”

Heard this today in a client meeting and was just… stunned.

The meeting was at a public entity that provides critical supplies to a local community. Like, survival level critical supplies.

A.k.a. drinking water.

Nobody in the organization had any clue as to the risk they expose themselves and their community with this setup.

Nobody knew what I meant when I asked, “why isn’t this server virtualized and hosted in the cloud yet?”.

Nobody understood that their “backup” wouldn’t get them any functional setup for days or weeks until someone from IT ordered new hardware, installed and configured it, and restored whatever “backup” their IT service provider may or may not maintains.

Their faces were at first annoyed upon my probing.

Then shocked when they realized how exposed this organization is, and how steep their learning curve will need to be going forward in our quest to achieve Information Security.

And I can’t even blame any of them. How are they supposed to know? Their focus is daily operation of the supply system. Finance and accounting. Purchasing. Meter reading and invoicing.

And clearly their MSP categorically ignored their obligation to drive the digitalization of this public entity, to strategically develop their IT and business continuity organization, and ensuring that this client will be able to secure the water supply for tens of thousands of customers.

I realized again how dysfunctional some of the most common organizations can be due to no fault of their own.

Town management, DPW, wastewater, drinking water, schools, but also mom-and-pop manufacturing shops, stores, retail, services for marketing, photography, childcare, butcher shops or bakeries – virtually all of them don’t have the knowledge nor capacity to manage their own IT and security. They trust their MSP, their accountant, their payroll company to protect them from harm due to lost, manipulated, or inadvertently disclosed data.

But the reality is these service providers aren’t usually any better and barely scrape by doing the absolute minimum.

And the worst part? Nobody realizes the extent of this exposure, because “we’re not big nor important enough to be a target”.

Well, you are. We all are. And you are a ridiculously easy target, specifically because you think you aren’t.

It is feasible and affordable to do better. You don’t need six figure investments to do better.

What you need is an internal organization that takes ownership of your information security. Guided by knowledgeable InfoSec professionals and a fractional ISO to work through the steps that make you just a bit harder of a target than the next organization over. Begin there and it will make all the difference.

What you need is me and my team at Granite State InfoSec Consulting. And to get started. Now.

#InfoSec #ISO27001 #TISAX #GSInfoSec #Cybersecurity #NISTCSF #NISTCIS