Today’s edition of “how in the world is that possible?” I bring you the curious case of the antique shop. Well, the business is not about buying and selling antiques, its a widget (actual line of business obfuscated to protect the innocent) factory. It employs just over a dozen people, who mainly work with their hands. It is precision work, but fairly dirty. “Skilled labor” is the term I’m looking for.
No, the “antique” aspect of this business is the three computers it uses. They were procured in the early ‘00s by a much larger firm, a customer of our client, and passed on to them when the bigger company upgraded their IT infrastructure a few years later. The operating system and software that runs on these systems would be familiar to you…but look quite dated. The thing is though, it is all perfectly functional from the perspective of the client. They boot up in the morning, they connect to the internet and the EDI system, the spreadsheet program does math, the word processing program churns out invoices and so on.
“Everything works just fine. I don’t need the latest equipment. I can’t see anyone thinking I’m worth hacking. We print off copies of everything and file it the old fashioned way. I don’t even do online banking; almost everyone I do business with pays by check.”
With one exception, its hard to argue with that kind of logic. Security people in particular love to make fun of people who use old technology. “OMG don’t you know how vulnerable that is? Its hasn’t been supported (by the manufacturer) for years! The epic pwnage is seconds away!” All of that is true, but as a business owner the calculus is a little more complicated than “old vulnerable system vs. new better protected system.”
The client and his business is the reason why all of his employees can pay their mortgages, feed their kids, and go to the lake for a week every summer. It isn’t a super high margin business, so while everyone is doing OK, its not like there is a ton of money to throw at fresh-off-the-boat PCs and next-generation cyber awesomeness. If it ain’t broke, so the saying goes, don’t fix it.
The exception? That he’s not a target. As we talk about in the book, the mere presence of a CPU makes someone a target. Now the one saving grace is that the juice from these geriatric processors might not be worth the squeeze to pwn, but that’s not up to him or me, its up to the bad guys. And if they decide he’s worth attacking, and they’re successful (high probability), then he’s in for a hard (and expensive) time.
Yes, he could recover his business files from manual records. In that sense he’s luckier than most small firms who put their trust in their hard drives. Most of his equipment is analog and what is digital is fairly “dumb” and easily reset to factory settings. Work will continue, but trust is gone. Increasingly, large companies are getting their security act together and requiring that all their suppliers do too. Our client will need to upgrade sooner rather than later.
Thankfully, IT is relatively cheap, and he doesn’t need top-of-the-line equipment to start with. And the whole point of the book is that there is a lot he can do to protect himself, his business, his people, and his reputation that costs nothing.
If this situation resonates with you and what you do for a living, don’t be shamed or bullied by your choice of technology. Its OK to use old tech if you’ve taken a number (OK, a LOT) of precautions and taken the time to do a cost-benefit analysis and determined that getting the latest gear and defensive technology would be an ideal way to go broke. You’re in business, you’re not in the security business. Security is a process, and as long as you’re working the process, and making progress, that is all any reasonable person can ask.