Information Governance Insights:
Repeat After Me – Cyber Security is Everyone’s Business
“Hacks” and Identity Theft have been around for a very long time, but over the past few years, the hackers have changed tactics and are targeting whole systems for attack. Ransomware is the latest incarnation of this where clicking on a single email can launch an attack that will lock down an entire organization and render their computer inaccessible until a “ransom” is paid to the hacker for the promise of an access code to unlock the system.
What started in the financial services sector quickly jumped to healthcare providers and has most recently begun showing up in the Governmental sector. Entire cities have been shut down for days due to such attacks. The practice is so prevalent that Insurance companies are now offering policies to pay off hackers in the event of a successful attack.
All of these ransomware attacks are so successful not because of a failure of the information technology folks to do their job, but because of others in the organization not doing theirs. Entire organizations are shut down because someone opened a phishing email and exposed their systems, which were not current with the latest operating system or security patches, to the attack. So, in reality, it was a lack of training and deferred maintenance that caused the problem. These are the types of issues Information Governance professionals must deal with every day.
All of these ransomware attacks are so successful not because of a failure of the information technology folks to do their job, but because of others in the organization not doing theirs.
Let’s start by addressing the training issue first: Nobody wants to be the one that takes down their entire organization due to something they did, but they can’t help out if they don’t know how to spot malicious emails that make through the firewall. This takes constant training and reminders to what is going on in the cyber world, how it can affect them and what they can do to deal with it effectively. Training is one of the easiest and most cost-effective ways to deal with cyberattacks because most attacks are aimed at the individual rather than a system. If you can educate your staff to these threats you will go a long way to plugging the holes in your security program.
Now let’s talk about the real elephant in the room – deferred maintenance. The WannaCry virus exposed a dirty little secret that many, if not all, organizations have been dealing with forever. As odd as it may seem entire international organizations were taken down because they are still running on the Microsoft Vista operating system. This really shouldn’t be so unfamiliar when you think that most organizations have an old system that runs some critical functions with customization done over time that now simply can’t be upgraded without a substantial financial commitment nobody is willing to make.
To be honest, deferred maintenance is something that has always happened and probably always will. As long as Information Technology can keep it going there never was an issue. It is only now with these attacks that an organization may have to rethink how they plan their upgrade schedule because of the risk these systems represent. It is the responsibility of the information technology department to inform Management of these vulnerabilities, but it is Management’s responsibility to take these warnings seriously and budget accordingly.
So as you can see, cybersecurity is really everyone’s business. The information technology department can only do so much to keep the wolves at bay. It is up to everyone to be aware of tactics being used, how to respond to them and for Management to understand that the risk of deferred maintenance has become more critical.