James Cameron, the director of the movie Titanic, who has made 33 successful dives to the Titanic wreckage site, pointed out in a recent interview that the Titan sub tragedy is eerily similar to the 1912 Titanic disaster. In 1912, the captain of the RMS Titanic was repeatedly warned about potential dangers ahead given the icy waters, however he plowed forward at full speed into the ice field on a moonless night. This resulted in over 1,500 innocent deaths.
The captain of the Titan sub and CEO of OceanGate, Stockton Rush, was also repeatedly warned about his vessel’s safety, lack of certification for the vessel’s integrity, lack of a tracking device (think airplane black box), their experimental approach to deep dives (even though this is a very mature and well-understood practice) and lack of a backup sub. Even with these warnings, he plowed forward at full speed, resulting in the deaths of innocent people.
This kind of willful negligence is rampant when it comes to IT security and compliance for small businesses. Sometimes it ends in an abrupt, catastrophic “implosion,” where a company is destroyed by a ransomware attack, operations shut down, unable to transact, employees and clients harmed, and the company’s reputation tarnished. Other times, the risk is there but hasn’t been addressed because nothing bad has happened – yet.
There are 3 types of willful negligence when it comes to IT security and regulatory compliance for data privacy and protection.
1. Willful ignorance.
Some people running a business may be too young or inexperienced to understand the risks they are incurring by failing to protect their clients and themselves. Often times, they are being advised by the wrong people – an IT firm that lacks the expertise to implement good security protections. You almost can’t blame them for getting it wrong initially, but at some point, they are going to get hit with a cyber-attack and learn the hard way.
2. Willfully stupid.
This group cannot claim “ignorance” as their defense. They KNOW they should be protecting their business and their clients’ data. They’ve heard the stories, they know the laws and may have been warned by their IT company, but foolishly believe “that can’t happen to us,” or choose to assume they are “fine” because “nothing has happened yet”. They may trust but not verify that their IT person is actually doing what they’re supposed to, and often lack cyber liability insurance, choosing to take the risk.
3. Determined negligence.
This group stubbornly insist on continuing to operate without proper security protocols in place, without a disaster recovery plan, without any insurance, without assessing and inspecting their environment, refusing to acknowledge ALL facts, history and evidence to the contrary. They may know they are acting irresponsibly but do nothing to change it.
After the tragedy of the Titan sub, multiple experts came forward to point out all the risky behaviors Rush was allowing. The hull had not gone through any type of cyclical pressure testing or thermal expansion and contraction testing. The hatch could only be opened from the outside and not the inside, which wouldn’t allow them to escape if needed in the event of an emergency – one small fire inside would have been catastrophic. No atmospheric system to monitor interior gases such as oxygen, carbon dioxide and carbon monoxide. No emergency air breathing system. The viewing window was only certified to 4,000 feet, not the 12,500 feet of the Titanic wreck.
Everyone makes mistakes and everyone has a moment in their lives when they place trust in someone they shouldn’t. Everyone has blind spots, and we’re all ignorant and misinformed about something. The question is, do you STAY willfully ignorant to the point of being determined to hold steady to your course of action where you not only do harm to yourself, but to others as well?
If you do, it’s only a matter of time before your own ship sinks. Sadly, if you’re the CEO of a company that holds financial data, credit cards, medical records, tax returns, Social Security numbers, birthdays or even the contact details of your clients OR employees, YOUR willful negligence in cyber protection will absolutely harm others.
If you have questions on whether your company and client data is protected from cyber-attacks, click here to schedule a brief 10-minute discovery call with us!