The Mayberry Model
Watch the till and lock the door at night. If you were opening a small business 30 years ago, your major security concerns were probably to keep an eye on the till (cash register) during the day and to lock the door at night. It reminds me a little bit of the Andy Griffith Show which ran in the 1960’s about a small fictional town called Mayberry RFD in North Carolina. Mayberry enterprises included Floyd’s Barbershop, Emmett’s Fix-It Shop, and Foley’s Grocery.
Floyd didn’t need a risk management program, much less an IT risk management program to run his business. It was pretty easy to remember — watch the till and lock the door. He could also easily describe and assign those tasks to someone else if he wasn’t available. Further, it was fairly easy to watch the till: Money was physical — paper or metal — and it was transferred to or from the cash drawer. He knew everyone that came into his shop. Same for Emmett and his Fix-It Shop. Plus they had the added bonus of a pleasant bell ring whenever the cash drawer opened. This leads us to the MISRMP (Mayberry Information Security & Risk Management Plan).
Mayberry Information Security and Risk Management Plan:
- Watch the till
- Lock the door at night
- Make sure the cash register bell is working
Today’s model
Fast forward to a small business today, however, and we have a different story. Today, in our online stores selling products, services, or information, there is no physical till and probably little to no physical money. There are online banks, credit cards, and PayPal accounts and we really don’t know where our money is. We just hope we can get it when we need it.
There are not actual hands in the till nor warm bodies standing near the till when the cash drawer is opened. There is no soft bell ring to let us know the cash drawer just opened. We don’t know the people in the store and they don’t go away when the front door is locked. Our customers shop 24/7.
Further, instead of a till with a cash drawer, our businesses rely on very complex and interconnected equipment and systems — workstations, servers, routers, and cloud services — and we don’t have the time to stop and understand how all of this works because we’re busy running a business. Floyd’s only piece of financial equipment was the cash register (and Emmett could fix that if it broke).
This new way of doing business has happened pretty fast. It is not possible to manage and control all the pieces that make up our financial transactions. We also have a lot more financial transactions. While the Internet has brought many more customers to our door, it has also brought many more criminals to our door. Making the situation even more challenging, we largely don’t have the tools in place to manage our information risks.
What Floyd knew (and we don’t):
- who his customers were (knew them by face and name)
- what their intentions were (wanted to purchased a haircut or shave or steal from the till)
- where his money was (in the till, in the bank, or in his pocket while being transferred from the shop to the bank)
- when business transactions occurred ( 9:00 – 5:00 but closed for lunch and closed on Sundays)
- what was happening in his store after hours (nothing)
That is to say, Floyd had much less business uncertainty than we must contend with today. He could handle most of his uncertainty by watching the till and locking the door at night. Our small and medium sized businesses today, though, are much more complex, have much higher levels of uncertainty, and need be risk managed to allow us to operate and grow.
As Floyd managed his security and risk to operate a successful business, so must we — ours is just more complicated.
What are the 3 biggest IT & Information Management risks that you see affecting your business?