Trusting Tech

President Ronald Reagan made the phrase “trust but verify” famous in the late 1908s. But he didn’t originate it: The phrase is a Russian proverb he learned from American writer Suzanne Massie.

By Laura Haight

Technology is not easy, plug-and-play, or bulletproof, and it should not be taken for granted. While it vastly expands your business capabilities it also requires more knowledge and expertise to work for you instead of against you.

Blind trust that “the system” is working, is protecting us, is stopping attacks, is misplaced.  In fact, the effectiveness of any tech is directly proportional to how well managed it is. 

Here are three examples:

-- BACKUPS.  Of course, you have backups, right? Having a backup is a necessary firewall against ransomware, critical for Disaster Recovery, and important for the everyday occurrence of deleting a critical file unintentionally. But having one and being able to restore from one are two separate issues. Lots of things can happen to corrupt backups, including drive failures, configuration changes on either a source or target locations, physical damage to media, and drive failure. Oh, yeah, and human failure.

Because none of these possibilities is not a thousand-year-flood type scenario, there are a couple of best practices you should be following. LIke maintaining a local backup kept off site (yes, even if you backup to the cloud), and having redundant cloud backups (or local backups, if you do these internally) in the event of system or server failure. Stuff happens. 

But the top practice most businesses fail to do is periodic restores from the offsite backup, which includes restoring files from the backup and then opening them to ensure the file is viable. Along with that, make sure your cloud backup provider has current contact information for whomever they are supposed to notify if backups fail for some reason. 

There’s nothing more dangerous to your business than the set-it-and-forget-it approach.

-- CYBER SECURITY. You’ve got a firewall, intrusion detection, virus protection, a VPN, a great IT team, so you can sleep soundly at night, right? Wrong. Not unless you got rid of all your staff. 

Every company that has ever been hacked had all those things and more - SONY, Anthem, Target, Experian, the IRS. They were not hurting for financial or IT resources to put into technology. Yet they were all hacked (the IRS several times). 

The greatest danger to any business are authenticated employees who open the door - every time - to let the hackers in. The best network gear can stop about 90 percent of phishing emails. That means 10 percent get through and, Verizon’s 2019 Data Breach Report says of those 18 percent of users will click on a malicious link or download. 

The solution is not better network gear. It’s primarily an understanding the way your employees actually work and how they may be circumventing security barriers (creating shadow databases, using unauthorized software or apps, removing work from secure locations to take it home to work on)  in order to get their work done. Second, working with your employees regularly to ensure (not assume) that they understand the risks and can identify (or verify) an email before clicking. And finally, publicly recognize and reward your employees for being the first line of defense of your company. That all takes time and human effort, not necessarily a big financial commitment. The more personal the effort, the better the result. 

-- PRIVACY. This is a flashpoint in conversations both personal and professional. Businesses have both a legal and ethical responsibility to protect any customer information in their control. That can include online contact or sales forms, customer service data, account information. Facebook recently took yet another reputational hit when it was discovered that unobscured passwords were left exposed in an online database. 

The situation gets complicated when mobile devices and apps come into play, raising issues of location awareness, passwords, PINS, biometric information and more. 

Best practices: Don’t collect what you don’t need, know where all the data is maintained, review the maintained data on a regular basis, and consider inactivating unused accounts. I recently logged into a site I hadn’t been to in more than five years. My account, including my credit card (now expired) was still maintained in the database. 

Businesses don’t want to ever give a customer an opportunity to opt out. But the privacy climate being what it is, a periodic communication to lapsed customers (maybe those who hadn’t logged in, purchased, or interacted in more than a couple of years), asking them to update their stored data as a security measure, could be well received as a proactive protection measure. Eventually, those abandoned accounts should be deleted or put into cold storage, as a security measure. 

The collection and maintenance of customer data must be important enough to warrant human intervention and critical evaluation. You can see that even in major global players that utilize advanced AI and programmatic algorithms - like Facebook - fail when they put trust, without verification, is technology alone.

More on best practices and security