“Not going to happen to us”…”we only hire faithful people”…”that’s not our culture”…”we don’t know for sure that there is sensitive data there”
If this is the way that your company is addressing its governance and security, wait for it…you are already in trouble. Too many people kinda know that they have issues, but they don’t want to address them. If you don’t know for sure where the problems are, then you can’t be blamed when there’s an issue, right? Just make sure to keep that resume up-to-date.
We see it all the time, you’re not alone. Very few companies know exactly what’s going on within their four walls. They are constantly looking to the outside to see who is trying to break in, when really; they need to focus on the folks inside that already have access to the company’s data.
When we identify where the risks are there is always a reason that they don’t do anything about it. “no budget this year”… “not a priority” … “that’s something we can look at in the future” …”it’s an acceptable risk” … “don’t let my manager know about this, I could get in trouble”.
You need a place to start, but you’re so busy you don’t know where to start, don’t have resources, don’t have budget…yeah, we know, but when your company is now the subject of headlines can you still have your head in the sand?