Every day there’s another report on a cyber breach, so much so that it doesn’t get reported on unless it massive in scale. What this means is that these breaches are so common that the news media is getting bored with reporting them and so people become complacent to this very serious issue. Therein lies the problem.
Hacks, Malware and Ransomware is such an issue that companies are starting to adjust their hiring practices for their information technology staffing so that every position include some element of cyber security skill set as a basic requirement to even be considered for an interview. This is a reasonable and practical response to the current environment we face today, but I believe it is short sighted. I am a firm believer that an organization will get hacked no matter how good their precautions are. This is not pessimistic on my part, it’s simple math: Today’s hacks are automated to the point where there are thousands if not millions of attempts to infiltrate an organization’s systems every day. They only need to work once. In fact, the latest ransomware virus was so successful not because of a failure of the information technology folks to do their job, but because of others in the organization not doing theirs. Entire organizations around the world were shut down because someone opened a phishing email and exposed their systems, which were not current with the latest operating system or security patches, to the attack. So in reality it was a lack of training and deferred maintenance that caused the problem. These are the types of issues Information Governance professionals must deal with every day.
In fact, the latest ransomware virus was so successful not because of a failure of the information technology folks to do their job, but because of others in the organization not doing theirs. Entire organizations around the world were shut down because someone opened a phishing email and exposed their systems, which were not current with the latest operating system or security patches, to the attack. So, in reality, it was a lack of training and deferred maintenance that caused the problem. These are the types of issues Information Governance professionals must deal with every day.
Let’s start by addressing the training issue first: Nobody wants to be the one that takes down their entire organization due to something they did, but they can’t help out if they don’t know how to spot malicious emails that make through the firewall. This takes constant training and reminders to what is going on in the cyber world, how it can affect them and what they can do to deal with it effectively. Training is one of the easiest and most cost effective ways to deal with cyber attacks because most attacks are aimed at the individual rather than a system. If you can educate your staff to these threats you will go a long way to plugging the holes in your security program. Now let’s talk about the real elephant in the room – deferred maintenance.
The WannaCry virus exposed a dirty little secret that many, if not all, organizations have been dealing with forever. As odd as it may seem entire international organizations were taken down because they are still running on the Microsoft Vista operating system. This really shouldn’t be so unfamiliar when you think that most organizations have an old system that runs some critical functions with customization done over time that now simply can’t be upgraded without a substantial financial commitment nobody is willing to make.
To be honest, deferred maintenance is something that has always happened and probably always will. As long as Information Technology can keep it going there never was an issue. It is only now with these attacks that an organization may have to rethink how they plan their upgrade schedule because of the risk these systems represent. It is the responsibility of the information technology department to inform Management of these vulnerabilities, but it is Management’s responsibility to take these warnings seriously and budget accordingly. So as you can see, To be honest, deferred maintenance is something that has always happened and probably always will. As long as Information Technology can keep it going there never was an issue. It is only now with these attacks that an organization may have to rethink how they plan their upgrade schedule because of the risk these systems represent.
It is the responsibility of the information technology department to inform Management of these vulnerabilities, but it is Management’s responsibility to take these warnings seriously and budget accordingly. So as you can see, cyber security is really everyone’s business. The information technology department can only do so much to keep the wolves at bay. It is up to everyone to be aware of tactics being used, how to respond to them and for Management to understand that the risk of deferred maintenance has become more critical.