Google the word “ransomware.” You’re likely to see at least a handful of news articles about the latest attacks on various data systems around the world.
It’s no wonder then that in any given week, you’re also likely to be besieged by a multitude of software vendors — like ambulance-chasing lawyers — claiming to have the perfect set of security solutions.
Don’t be fooled. The pervasive nature of cyberattacks has created a dangerous hype cycle. It’s the IT equivalent of whitewashing. Call it “security washing” – vendors talking a good game, but without the actual capabilities needed to protect or recover data.
As someone who has spent three decades in the IT trenches, often on the customer side, I’ve come to recognize how these hype cycles work.
Here are two things that can help you do the same: How to recognize security washing when you see it, and the questions you should ask any vendor about its capabilities before signing a contract.
Unethical Promises
Because your clients don’t work in data security, they might not even realize how often data systems like theirs are being hit. It’s not a question of if but when their systems will be attacked.
Alan Atkinson
Threat actors are often highly organized and well-funded. They gain access, snoop for weeks or even months, and begin copying or encrypting sensitive files. Then comes the ransomware shakedown.
Safeguarding against these kinds of attacks and limiting the potential damage requires early threat detection. It also means having a rapid recovery capability — and knowing which data is most crucial to recover.
All of this is hard to do.
Cyberattacks are among the most serious business threats to any modern organization. Our data is extraordinarily valuable, which is why the bad guys are so intent on stealing it or holding it hostage. And because everyone and everything is connected, the attack surface is vast.
Protecting yourself and your clients is serious business. It must be top of mind for everyone, from the C-suite and boardroom on down.
What to Ask
Questions you need to be asking any vendor that is promoting its supposed security bona fides, include:
- How will I know if the bad guys have gotten inside, and how can I contain their reach?
- Will I be able to tell what data has been taken or modified?
- How can I identify my most mission-critical data?
- If I do get hit, how fast can you get me back up and running?
- How do I know how far back in time to go for my clean data?
- What will all these capabilities cost me?
Unless the vendor has good, credible answers to these questions — and can point to other satisfied customers — there’s a good chance that you’ve just become another target of security washing.
Proceed with caution.
Alan Atkinson is chief partner officer at Commvault.
Image: iStock
