We need to talk about Security

According to a Proofpoint survey, more than 80% of British firms who had been victims of ransomware attacks have actually paid the hackers to get their data back. Only half of those got their data back after the first payment, many had to pay more to get their data back or indeed never got their data back even if they paid up. That’s frightening.

When it comes to a breach, it’s frequently the case that the finger of blame is pointed at the Tech department. Sometimes that’s fair, but often not. Of course, it’s likely to be a user that starts it all by clicking on a link, but if a company is having to pay up to get their data back, then the IT department has to shoulder at least some of the blame because it has to be our responsibility to make sure our backups are secure and unaffected and the security systems are good enough to protect the business from harming itself.

I appreciate it’s hard to get the CEO’s attention on things such as Data backups, DR, business continuity, air-gapped systems, whatever. It’s boring, usually expensive and is never going to contribute to the bottom line. But… do you remember Travelex? What about Brighton and Sussex University Hospitals? And what about Uber who paid attackers more than $100k in exchange for a pledge to destroy the data. A pledge! A company paid a criminal who then pledged to delete the data they stole; that’s desperate!

A cyber attack can bring down a company in many ways, it’s not just loss of data or loss of systems, it’s also wholesale loss of credibility and customer confidence. A business can effectively disappear overnight with the right type of attack. Particularly now, with Russia and the Ukraine, it’s even more important for companies to have good defences and to have made sure they really work.

Fear, Uncertainty, and Doubt...

I’ve thought about this more than once and I can’t think of any other way to get attention other than through a decent amount of fear, uncertainty, and doubt. If you have alternative ideas, do let me know because I don’t think there’s a CIO or CTO out there who likes to get the attention of the CEO through FUD, but in this case, I really do think it’s the way to go. Helping them understand the bottom-line impact, the reputational damage, possible impact on their own pockets and their own freedoms should, I hope, get their attention.

And if that’s not enough to get taken seriously, it must be No.1, in at the top, with a shooting star for the Risk and Issue log. You need to be clear about the risks being taken and why. Maybe it’s a bit of back-side protection, but it’s also being a responsible & commercially astute member of the senior management team. If the CEO doesn’t take it seriously, then perhaps the Chairman or the Shareholders will. There's an element of being a whistle-blower about this if the issue isn’t treated seriously enough.

And let’s face it, if it’s not treated seriously enough, you’ve got to ask yourself whether you want the responsibility of working for a company that doesn’t take these things seriously. There are real sanctions that do get applied; the ICO has supported prison terms for serious breaches of Data Protection and GDPR. In fact, the first prison sentence handed out wasn’t even for a cyber breach, it was handed to someone who breached GDPR guidelines and was just an employee!

As early as the interview stage, we should be asking questions about the seriousness with which the company takes its security. And if you discover they don’t take it seriously, then why would we, as senior professionals with great careers behind us want to take on a job that could end with jail time?! Clearly there’s always the chance they are looking for someone to take it seriously on their behalf, but that’s a different opportunity.

A client of mine once got hit with massive DDOS attacks. We had no understanding why that could be. By the third attack, we’d marshalled our defences and it hardly affected the website. In the end we decided that someone had taken offence to some of the videos on the website. Mostly historical, but it seemed the most obvious reason, but we never managed to fully bottom it out. The point is that you never know when an attack might happen, and it could be for spurious reasons. In the current climate, it might just be collateral damage, who knows, but we should make sure our companies can weather any storm thrown at them. Now is a good time to be investing in cyber security and cyber insurance and making sure the Senior Leadership Team fully understand the seriousness with which they should be taking cyber security.

One last thing...

...the NCSC has an early warning system that will alert you when there’s a vulnerability or evidence of malicious activity relating to IP addresses or domains that you use and/or have registered. Our CIOs/CTOs have been using it and already one client has found a hacked server in one of their business units.

It’s free and it’s here: https://www.earlywarning.service.ncsc.gov.uk/

Do yourself an early favour and go and use it!

Found this useful??Try my other recent articles:?Driving Heroes out of the Workplace?and?Breaking the Unattainable Triangle.

If you’re a CIO or CTO looking to join a rich network of like-minded IT Leaders who collaborate and knowledge-share you might be interested in our?Mentor Groups.