When I was a student in Bensalem High School, I had a teacher named Ms. Stockman who commuted every day from Delaware to the Philadelphia area. She had one of the toughest jobs imaginable, which was to educate and provide support to a large number of high schoolers in a very socially and economically diverse area. She would help anyone out with their issues and could be trusted as both a confidante and excellent giver of advice. She had many of the characteristics of a great leader and educated many people who have since become them.
We someone like her educating our leaders on cybersecurity. I learned a lot of lessons from Ms. Stockman, the most important being that you will be asked questions by people who do not know enough about the questions they ask to be sure they’re asking the right ones. You need to make sure your customer understands, and you need to build that rapport so they come to you with further questions. Teachers like her are sadly few and far between.
Since late 2013, ransomware has been the most prevalent threat to technology implementations. The criminals that employ it have spared no one, including nursing homes and hospitals. This blog series will focus on the critical mistakes leaders are making when it comes to protecting data, and how they can go about mitigating these issues for the betterment of the organization.
Let’s start by examining why cyberattacks are often successful.
The ultimate goal of most corporations is to cut costs to as low an amount as possible. Entrusting complex environments to the same group of people who have always managed these systems, without considering security in operational management, has led to several challenges. Not following up on risk assessments and risk management plans, and failing to understand who is on the network, has given opportunities to criminals. Capital budgeting in many organizations is based upon anticipated return on investment (ROI); a lower ROI means that the project may not be selected. Therefore, many organizations cut out the IT portions of capital submissions except when necessary, because there’s a perception that IS already exists as a resource that can be plugged in as needed. I’ve witnessed this both with customers and as an MBA student in 2014 in class.
Modern ransomware attackers leverage the fact that most organizations put in technology without thinking how they would manage it, or effectively monitor networks for anomalies or intruders. They know that the people in charge are accustomed to closed local networks, and therefore believe security controls can be loosened internally (hint: under HIPAA this is not the case, but try telling it to some managers). They map out networks and plan attacks for maximum effect, then detonate ransomware at critical locations. This can happen for months without detection, as evidenced by the devastating attacks on Baltimore and New Orleans.
The technologies pushed by many security software and hardware promises to automatically identify and address vulnerabilities with minimum effort and staffing. It reminds me of the “easy” button at Staples. Much of the time, organizations do not truly understand or comprehend risk management, and believe these technologies will be adequate in preventing issues (despite warnings from team members, consultants, and executives). We are often told to allow security exceptions due to business, even if they are high risk. Any complaining about these exceptions often falls on deaf ears.
What we are experiencing now is also the logical outcome of disincentivizing our user community. There’s so much focus on meeting Key Performance Indicators and financial numbers that any deviation that causes numbers to be missed is penalized. Call centers are especially suspect to this. They are managed so tightly to KPIs that employees are less likely to report fraud, as it can impact their numbers. It’s the type of thinking that SIM swappers will take advantage of.
By penalizing people who want to report issues, we’re disincentivizing them. The same holds true for security teams and managers who actively work against (and badmouth) users, and who view information security as an unnecessary hindrance.
Some leaders believe managing IT in the distributed age is the same as it has always been, with just a few small additions, and that they won’t be attacked. Ransomware demonstrates that this does not work. It will continue to be effective because of this thinking.
In the second installment, we’ll focus on how leaders can set realistic expectations, define effective processes, and empower teams to be better equipped to address technology risks.