SEAT Global Magazine - Sports Industry Case Studies Issue 05 June/July 2017 Special Edition - Page 55

Q: What is the general prevalence of unaddressed security vulnerabilities, including physical or cyber attacks, at government and private entities?

A: It's hard to say that across the board – every organization does things differently. In physical security issues, a lack of appreciation as to the threats, risks and potential impacts, combined with a lack of time and resources, leaves a lot of neglected areas. In cybersecurity, some organizations are great and very proactive but a lot aren’t, for a number of reasons. For some, trying to apply patches during certain periods is a risk they consider bigger than the risk of an attacker capitalizing on that exposure. That leaves them vulnerable, but by their risk calculation it’s a chance they’ll take.

As kids, we all grew up doing fire drills. Schools assessed that while unlikely, the potential disaster of kids being trapped in a school that was experiencing a serious fire was too big to not prepare for. So, we ran fire drills. As adults, we need to take the same approach to our organizations. Fire drills are still important, but so are other response exercises – hostile events, responding to a ransomware threat, anticipating seasonal weather issues – those threats that are assessed as serious risks need to be addressed.

You can’t do everything – no one can - so focus on fundamentals. When you address hostile events, you cover the same fundamentals needed for responding to active shooters, explosives, workplace violence and simple acts of terrorism. In cybersecurity, having basic incident response procedures will help an organization address the immediate crisis, but of course additional expertise may be needed depending on what the situation is. In both physical and cybersecurity, and for pandemics and other threats – it is great to have detailed protocols but sometimes those may cover the 10-20 percent left unanswered by a basic response plan. In most cases, you’re going to settle for the 80 percent solution and accept that a lot of it is going to be adjusting to the reality of events on the ground. Your plan is almost never going to be based on the exact situation you find yourself in. Not in war, not in a fight, not in incident response.