Information Governance Insights: FAQ – Cybersecurity
Cybersecurity is a critical concern for any organization, what are the areas that you recommend be focused on to ensure these risks are mitigated?
I am firmly in the camp that says every organization will be hacked at some point. The technology that is used to build malware has advanced, just like all software, to the point where virtually anyone can purchase a malware engine with a simple user-friendly interface and create a hack in a matter of minutes.
These packages are so prevalent that there are hundreds of thousands of hacking attempts every day when coupled with bots that can run all day, every day in an endless loop. If you look at it from a purely business perspective and compare it, say, to the theory of bulk mail marketing where it only takes about five percent to be considered a success you can begin to see the advantage of this type of “business”. Throw enough against the wall and some of it will eventually stick.
This does not mean that organizations need to move massive amounts of money into purchasing cybersecurity software packages to beef up their current systems. Studies have shown that the most common attack began with a common fraudulent email opened by an unsuspecting member of the staff. This is known as “phishing” and it is used because it works, particularly when you send them out in the hundreds of thousands of email addresses at a time, and it only takes one person opening it to be effective.
Screening for these fraudulent emails can’t be the sole responsibility of the Information Technology team simply because of the sheer amount of these attacks. It is vital that training and education focus on this area, along with a robust internal testing program, to ensure the entire staff actively understands how to guard against these attacks. Cybersecurity must become everyone’s responsibility in order for it to be truly effective.
Another cybersecurity issue I find often is one that is overlooked and that is the issue of deferred maintenance. Many organizations got a wakeup call with the Wannacry virus that attacked organizations and governments worldwide in May of 2017. The worm attacked systems through a known issue in Microsoft based operating systems. If you neglected to patch your systems before you contracted the virus, you were at its mercy. System maintenance is always a concern when it comes to budget planning time. This is not to say that there should not be limits or any oversight when upgrading systems to the latest service pack or version, but system maintenance should have a higher priority than it has in the past.
The same goes with the level of protection various systems get based on a risk assessment. With the Wannacry attack, for example, the Equifax credit reporting service guessed wrong with a relatively benign system on a customer service site. There is always a tightrope to walk on which system to decommission or upgrade, but it should be obvious that system maintenance needs to have a higher priority than it has in the past.
Cybersecurity can be intimidating, and many organizations can easily overreact with massive budget increases implementing the latest technology when it could be quite possible to protect the organization from the most common security threats in a much less costly way. Continual training and testing of the staff coupled with an improved system maintenance program can go a long way to ensure your organization is protected. There is always time to implement software if it is needed. Try the other steps first.