It’s been a busy few weeks in the world of cyber security. First, it was revealed that Russian hackers tried to meddle in France’s election. Then Microsoft quickly issued a patch after a security bug was found that could allow cyber criminals to,in essence, hijack any Windows computer. That was followed this past Friday when a massive global ransomware attack struck – crippling Britain’s National Health Service, FedEx, Spanish telecommunications giant Telefonica, the French car maker Renault, and many others. The ransomware bug was destined to continue spreading across computers worldwide, until the code’s “kill switch” was inadvertently found and stopped the spread of the virus, at least temporarily. Cyber experts across the globe are still scrambling to get to the root of it so that it can be permanently disabled.
On the other side of cyber news, last week President Trump issued an executive order that outlined plans to improve data security for federal agencies and to better protect critical U.S. infrastructure, perhaps somewhat timely given last Friday’s massive cyberattack. While most cyber security experts agree it doesn’t go far enough to truly address the problem, it was a good first step but only if appropriate resources and funding are put behind it so that the vulnerabilities in our current system can be adequately addressed.
What does this mean for you? Cyber attacks and breaches – be they malicious, accidental or state-sponsored, are not a question of if, but when. So what can a company do to protect itself?
- Cyber security needs to be a top priority with accountability assigned to the most senior-levels of the organization. The C-suite not only needs to understand the critical need for top-level security, but must invest in it too. You can’t protect your data with outdated or barebones technology. And whether the C-suite likes it or not, the Board may assign accountability there post-incident anyways. As we’ve seen in past breaches, the head that usually rolls is the one at the top (e.g. Target, Yahoo!).
- The investment needs to extend to examining your internal organization and performing a vulnerability assessment – not just on your IT, but where weak points may be via your employees. Most breaches are ultimately caused by humans. Malware usually doesn’t open itself – someone, somewhere clicked a button. Do you have a social media policy and do your employees actually understand what it spells out? Employees can accidentally reveal far too much about a company on Facebook or Twitter not realizing that cyber criminals may be watching.
- Post vulnerability assessment, cyber crisis planning and training are key. A breach may be inevitable, but how your organization responds to it can make or break your reputation (not to mention protect share price and minimize legal liability).
While the mass ransomware attack of the past week certainly highlighted just how vulnerable we all are, with a combination of technology and preparedness organizations can create viable protection for themselves.
By Heather Wilson