Why is it that so many companies go looking for shiny new cyber security products (with their very limited budget) that will cure all their worries (as if), when they don’t first consider how they can do better with what they currently have?
Time and time again we see the most rudimentary failures of basic IT security. Passwords set to never expire. Complete lack of access controls to customer data. Too many people with administrative rights. No staff training for information & cyber security or data protection, no vetting of staff, and the list goes on.
But worse still, you go back a year later to find that they’ve installed a SIEM machine (that they don’t need or understand) and have only tightened up a few basic security controls with the majority left in a totally unsatisfactory state. As they say, you can’t patch the human. If only their customers knew…