I was at a group meeting recently where our CEO was presenting on modern day cyber-security challenges and how our company should approach the challenges faced by organisations. On an off topic moment (or so I thought) he asked about the Maginot Line and what those in attendance knew about it. Much to my surprise there was a brief silence with no response forthcoming. To the best of my ability I described a series of military fortifications along France’s eastern border with Germany designed to stop potential German aggression at the time. He then began to draw parallels between this scenario and the approach of many modern day organisations to cyber-security.
The Maginot Line was seen as impenetrable at the time of construction. A line of fortresses so long and heavily guarded that they could repel any invasion from land or air. Many of them cemented in to the ground with anti-tank guns with an underground rail network so troops could be deployed swiftly. But provided you haven’t lived in a cave for the past 75 years or you got thrown out of GCSE History you’ll know that the Maginot Line was pretty much as successful as TalkTalk’s cybersecurity strategy. So what happened? What cunning Nazi strategy undid these impermeable forts? You might think it was increased heavy artillery or increased air presence or something of that nature.
Put simply, the Nazi’s went round the Maginot Line, cutting through Belgium first were French defences were at their thinnest. Hardly a revolutionary strategy. Although sparingly so, this can be compared with the mind-set of some organisations and their perceived threat level. You can invest in firewalls, implement the latest email filters, even hire the most skilled pen testers, however this is all inconsequential for one reason. It only takes one employee to click on a phishing email or loose a USB with sensitive information stored on it or for someone to waltz through the front doors of your organisation and into your server room. Should the full consequences be realised in such a case then financial penalties are the least of a company’s worries. 41% of organisation surveyed in a recent PWC report cited that it was reputational damage that had the most adverse effect on business and 36 of the organisations who responded were still suffering “serious” or “very serious” disruption a month after their worst incident.
Put simply, the point of this blog was to articulate that no amount of technology alone can secure your organisation. Tech, when deployed in conjunction with trained and security-aware employees is the most effective defence not only against malicious attacks but in minimising human error.