In my 20 years experience in the InfoSec space and an total of 34 years in my IT career I've seen a lot when it comes to information technology.
The good, the bad and the ugly so to say.
What seems to be an recurring pattern I was confronted with is that smb's (small medium business) under a certain dimension, also of course always depending on the people that are in charge of IT operations, but as a rule of the thumb, tend to run "their stuff" with an 80/20 approach when it comes to reliability, security and overall effectiveness.
If they're lucky, they've got a "bloody" nose early on and adjusted their ITSM (Information Technology Service Management) to an cyclic improvement process.
At first glance counter intuitive but nonetheless true... some of the worst I've seen came due to the IT guys in smaller shops doing a great job by "saving the day" over and over again without an chance for management to make needed changes to overall improve processes and infrastructure.
The type "I'll take care of everything" and "just let me do my job" are so deep in the trenches that they usually miss the big picture.
If they're "good" at that problems pile up underneath the workarounds and hasty fixes that nobody else has a chance to overlook until they themselves get overwhelmed by the card house that they've built.
In such situations I was often called as an "IT firefighter" and after the big flames were put out I've done "my thang" which is an complete assessment and rigorous audit of everything that's IT and IT intersecting processes throughout the given business.
Mostly without the responsible managers even knowing about the risks that had massively piled up underneath them in such constellations, sometimes up to such a disastrous level that every minute of "successful" IT operations and "the final breach" not happening was just a matter of luck.
I get it, the pragmatism approaches that are targeted at concentrating on the core of the business and IT just being the thing you have to have to somehow make money.
But when even the simplest of basic structure and architecture underneath "the stuff" is missing that's simply crying for trouble.
In some organizations, especially when there's no one there to implement an structured approach into operations and funding, things must somehow get transparently very ugly until things are questioned.
Yep, and I've even met those characters that intentionally let something hit the wall at full speed to get a few bucks to keep things afloat again for a few months.
The problem is somethings that can happen will be the final nail in the coffin. Like an breach that will either put you out of business because someone has lifted all your companies crown jewels or has otherwise compromised your operation so dramatically that you can't recover.
The risks out there are real and the little article I've linked further down shows that significant numbers of executives obviously look at the rather less probable risks but seem to drop the ball in a more general manner.
They aren't even aware what their risks are so they look at the biggest blanket thing of all... nation state bad actors.
Smh... hahaha! Enjoy the article from threatpost.com...
https://threatpost.com/smbs-nation-state-actors-apts-targeting/150836/
So, how do you handle an objective risk assessment?
Nope, this isn't just about business it's a general thing we all do for the most part subconsciously but still we do it.
How about you try to think about your personal risk appetite when it comes to crypto?
How's your overall crypto and cyber OpSec?
Have you been lucky so far without investing time into reflections on risks in general, OpSec, Backup/Recovery or malware protection?
What's your strategy for identifying, qualifying and quantifying your crypto risks?
Let me know down in the comments if you like!
Cheers!
Lucky