Security vendors can write some real guff when offering commentary on security threats. Just this week I’ve read articles ‘written’ by senior staff from various security vendors offering thoughts, views and advice on how to secure systems. If I was being charitable, most of them are rehashes of previous articles, and common sense dressed up with a bit of jargon. Insider threat, APT, emerging threat vectors and the like litter the page with an embarrassment of clichés.
And yet it’s clear that there really is a new threat emerging, and that is industrial unrest. Today’s announcement of a vote by Fujitsu staff on strike action, follows various bouts of IR (Industrial relations) fisticuffs at Shropshire and Southampton Councils over the summer.
Ignoring the reasons why, having IT staff out on strike means systems will be at best by run by skeleton crews. These crews will naturally try and keep stuff in the land of the living, primarily because the SIs get walloped with service degradation penalties if they don’t, but also because it’s politically expedient to show the strikes are having no effect.
The problem is that InfoSec may take a back seat, which is precisely where I believe it shouldn’t be. Even at its most mundane, we are seeing between 150-160 thousand new malware samples a day right now, and systems need to be kept in tip top condition in order to just stay running. QA processes may go out of the window internally, patching may fall behind schedule, and slowly an organisation can get exposed. You can automate many things, but risk will inevitably increase if IT staff go out on strike.
I don’t have a pithy or illuminating solution here, just an observation that in infosec terms, we are a symbiotic community that needs everyone to stay on their game. As the situation unfolds, CISOs and CIOs need to ensure that security doesn’t take a back seat or the effects will be severe and far reaching.