The Ostrich Effect - Part One

Companies bury their heads instead of tackling vulnerability remediation

In November 2016, Casino Rama made Canadian news headlines after being hacked and having massive amounts of employee, vendor, and client data stolen.

Casino Rama is a large Canadian casino and is a joint venture between First Nations, commercial operators Penn National Gaming, and the Ontario Lottery and Gaming Corporation. It is Ontario's only First Nations "commercial casino" and the largest First Nations casino in Canada.

Reports have been circulating in the media that the hacker(s) are threatening to release the stolen confidential information to the public. Unfortunately, we are seeing more and more of these types of news stories where organizations are breached, information is stolen, and the organization threatened with exposure. 

Regardless of the outcome, the breach has damaged Casino Rama’s brand reputation, exposing themselves to the potential for multiple lawsuits. Everyone wants to know if the Casino was aware of potential cyber-security risks and what they were doing to address them. Whether the media is correct in suggesting they did know, or if they didn’t, what happened to the Casino happens to far too many organizations who are aware of a security risk but are unable to address it, essentially “rolling the dice” with the hope they won’t be breached.

Unfortunately for Casino Rama, this particular breach may prove very costly with lawyers already announcing an proposed $50 million class action lawsuit.

The Ostrich Effect – an ineffective approach to vulnerability remediation

“The Ostrich Effect,” is an ineffective approach to vulnerability remediation that is quite widespread in both the public and private sectors. It takes place when an organization knows they have the risk but is unable to remediate the threat - usually due to the cost and effort to remediate the threat. In some cases, management evaluates the costs involved in remediation efforts and decides that the risk of a breach is “acceptable” vs. expending resources that can be used for revenue generation and strategic initiatives. In other cases, the executives simply don’t know (or want to know) how exposed they truly are.

Even organizations with relatively sophisticated security teams like those at a casino struggle to close, and keep closed, all of the security vulnerabilities identified in their organization. This is normally due to several key factors:

• As mentioned above, the sheer amount of manual effort it takes most organizations to find, plan, and remediate known vulnerabilities is overwhelming. It is next to impossible to keep up with volume and this causes IT organizations to eventually give up on all but the easiest vulnerabilities, instead reverting focus to more manageable tasks.
• No one is taking ownership of the problem which means there is no one to lead the charge in finding a solution.
• Organizational challenges interfere with simply getting the work done. Many organizations have silos between IT and Security departments, causing what should be closely knit departments to stop communicating with each other altogether.

In my next blog I’ll break down the steps required to avoid the Ostrich Effect and implement a strong remediation plan within your organization. In the meantime, you can learn more about Online’s Service Management practice here. If you would like to learn more, feel free to send me an email anytime.