Over the last few weeks, we’ve been looking at common security misconceptions that plague state and local governments. There’s one more that we’ll examine on the blog although we identify six in the ebook we recently published. This last one is different than the three that have come before in that this one feels like it shouldn’t be a misconception at all. Here it is.
Misconception No. 4: Security is a shared responsibility.
That’s true, right? Security should be a shared responsibility. We all have a part in keeping whatever network we work in secure, don’t we? Well, yes. We do. And that’s why we advocate for training staff on constantly evolving tactics for breaching networks.
While every network is unique, there are two things that are common to almost all local government data centers: They have small budgets and small staffs, including some counties that are running with entire departments made up of one person.
Often, it’s teams of two, three, four people that are responsible for not only maintaining the network, but also maintaining end point devices and taking help desk calls. They are sharing the responsibility for all IT projects, including security.
The problem is that when it’s everyone’s job to monitor the networks security, chances are no one is actually doing it because they assume “well, someone else has taken care of that.” Security isn’t something that can be done by committee. It requires dedication and focus. It ultimately has to land at the feet of someone. And that’s how this misconception is corrected.
How to combat this misconception: The only way to give security the attention it deserves is by hiring someone who knows his or her stuff and can concentrate on it. The argument against this is obvious. It’s not in the budget. The reality is you can’t afford for it not to be.
The cost of even a single breach can be staggering. Today, the average server rebuild costs about $60,000 per server. If you get hacked, the chances are high that you will have to at least rebuild one of your servers, and that’s almost an automatic $60,000 spent. And that doesn’t include any remediation costs that may come with a data breach, like paying for credit monitoring for anyone who may have been affected.
Without someone in place who knows security, you’re betting that you’re not going to be hacked, so you’re not going to have to spend that $60,000. But a good risk manager would spend $60,000 up front to better protect the server, because if you are hacked you’re going to end up spending the $60,000 one way or the other. It’s just a matter of when, how, and what other costs are going to be associated with it.
Another route to consider: outsourcing. Whether it’s moving parts of your network to the cloud or using remotely managed devices, you can save money, time, and get top-level protection by looking to outside vendors to help you manage your security.