We all see things we don’t want to see and just look the other way. Sometimes it is too uncomfortable to see certain problems or situations. And the reality is that if we just look at them and deal with them at the moment we can usually get past any discomfort or pain rather easily.
The legal system uses the term willful blindness to describe this occurrence in the areas of liability. Simply stated it is when a person decides to not address a specific issue due to it being an area where they assume there will be dire legal consequences, so they just don’t address it and hope it goes away. Therefore creating a possibility of negligence.
How Blind?
Unfortunately for us in cybersecurity willful blindness is just what the cybercriminal is counting on. He is expecting you to avoid the issue. To put the issue off. Or just not handle it because you are too afraid of what happens. That is the opening he needs to gain access to your data. And if you are a minor player in your company this is not really hard to look the other way at all.
But if you are a principle of the company it is your duty to deal with these occurrences at the moment they occur or before it happens. I have been in many corporate and public-sector environments and have seen with my own eyes human nature take over and an executive in the organization willfully decides to just look the other way. In my opinion, it is unforgivable.
Have A System
My recommendation is to have a system of seeing the problem as soon as possible. This may involve many things technical and non-technical but it must once again come from the top. Working with the specific functional areas of your company.
Make sure you have in place scanning, logging and reporting tools that tell you when there is even an incident on the horizon. This is critical. Make sure either you have qualified outside technical resources, or you hire and maintain and train your own in-house resources.
Next make sure you have some type of security authority set up within your organization. Where it is your risk manager, your CISO, or even functional managers or VPs. Give people a place to go to report issues as they occur. Also have your rank and file employees trained and looking for threats and possible strange occurrences. Make the decision today to see what most people don’t want to see. And you will be better off.