There were emotional ads. There were dancing sharks at Katy Perry's halftime show. And, amidst all the marketing hoopla and entertainment extravaganza, a football game was played.
Super Bowl XLIX was full of surprises. As anyone in IT can attest, cyber criminals are full of surprises too -- and proper preparation is key to fending off their attacks. Below are three lessons one can draw from this year's Super Bowl to better inform one's own cyber security policies and practices.
Pay attention to market forces
Consider the poor fans who spent hundreds of dollars for tickets to the big game -- only to find out that those Super Bowl XLIX tickets they bought never existed. The problem here was ticket brokers' common practice of short selling -- selling tickets before having them in hand, then buying them cheap closer to the event. In the case of Super Bowl XLIX, however, those cheap tickets never materialized because too many other brokers were doing the same thing at an unsustainable volume.
[ What can CIOs learn from winning coaches? Read Super Bowl CIOs: 7 Lessons From Winning NFL Coaches. ]
Such a crisis was but a matter of time; brokers (and their customers) should have been prepared. So too must IT be prepared for both the old and the new attacks that are out there waiting for their data.
So you have antivirus software running. Maybe a firewall. Maybe you even have a cyber security consultancy on retainer. And so far, so good. Security doesn't end there.
In his book Spam Nation, Brian Krebs reports that more than 82,000 new malware variants attack computers every day. An unceasing dedication to preparedness and awareness of market dynamics is key.
Woe to the administrator who installs new software without first testing it. The result can be a brand-damaging, revenue-halting crash. Just ask Verizon – a company that learned this lesson the hard way last year when its billing system suffered a major multi-day crash after having installed an untested software update.
Or, in the case of Super Bowl XLIX, just ask insurance company Nationwide, which ran what has been called "the most depressing Super Bowl ad ever" and "the creepiest moment of the night." In Nationwide's controversial Super Bowl commercial, a child explains that he'll never enjoy various life experiences "because I died in an accident." The grim announcement is followed by creepy images, including those of an overflowing bathtub, an open kitchen cabinet full of cleaning chemicals, and a large television smashed on the floor.
The negative reaction to the Nationwide ad causes one to wonder: Did the company try testing the ad with audiences first? Or, for that matter, did Nationwide consider how its dark messaging would fit in with the celebratory context of the Super Bowl? The situation is analogous to the job of an IT administrator – especially in a multi-vendor organization. The job involves making disparate bits of software and hardware play nice together. Frequently, a new piece of software (often from a low bidder) will come along that the administrator needs to assimilate into the system. Other times, a vendor will release an important security patch. These updates, however, may have catastrophic results if not tested properly first – preferably in a virtualized testbed.
Don't take unnecessary risks
No "lessons from Super Bowl XLIX" overview would be complete without a look at the Seattle Seahawks' disastrous decision in the fourth quarter, with seconds to go, with a four-point deficit to overcome, and being mere inches from the goal line, to run a passing play. Whereas a running play would have undeniably been safest (especially considering that the Seahawks were on only their second down, allowing them two more chances, even if they failed to score a touchdown), the passing play allowed an opposing rookie to intercept the ball -- and snatch the Super Bowl trophy for the New England Patriots.
This brings us to the most important cyber security lesson here: Don't screw around. Are there websites and software your staffers have no justifiable business reason to use? Block those things. Can non-employees access your offices? Strictly enforce a clean-desk policy so no handwritten passwords or other security-compromising data is left out in the open. And, naturally, train your employees on good security practices and culture.
You could have the best cyber security software and IT staff around, but the slightest slip-up can bring down your organization. InformationWeek editor Dave Wagner observed recently that the Seahawks are one of "the two best teams in the league in causing more turnovers than giving them up." The other team, Wagner noted, is the Patriots.
Hence, to call the Seahawks' decision to pass the ball an "unnecessary risk" would be an understatement.
Don't take unnecessary cyber security risks. Stay the straight and narrow, follow established policy and best practices, scan every file and connection, test every new update, and value patience and resolve. Boring? Perhaps. Difficult to measure ROI? Possibly. But you'll be a lot better off in the long run.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.