These kinds of cyber attack are very simple to avoid in business and yet the basics of information security management have been ignored. To get the ball rolling just ask yourself these 2 simple questions:
- Why is our business critical/sensitive information connected to the internet and is it really necessary?
- Why are the same computers that are connected to the internet also used to connect to business critical/sensitive data?
Generally speaking the answers to these questions are the root cause of your issues. It’s as simple as that. The answers are pretty much irrelevant because if your business critical data and/or sensitive information is connected to the internet, it shouldn’t be. A prime example of a major security risk here I spotted whilst in A&E recently where I watched a nurse shopping for a new handbag on line using an NHS computer. Ouch! Why do they have internet access anyway … and on a computer used to access patient/sensitive data?
This has become a critical issue and yet one that makes CEO’s and top management within organisations a joke. Simply bacause something in the IT arena is possible does not mean it should be implemented. Just because the top brass say ‘we must do it’ does not mean it should be done. Obviously employees do not generally hold the right to question the managements decisions and so they execute their requests. So, this puts the ball of responsibility farely and squarely at the feet of the top management.
The very basic risk assessments are not being carried out or are being ignored and projects are being executed just because the management say it must be done. I have seen this so very often and it is painful to see. Systems are forced into an organisation often with neolithic incompetence.
So, whilst you are blaming attacks such as this latest Ransomware issue on the ‘criminals’, ultimately as CEO, it’s your fault/responsibility. Furthermore, as CEO ‘exposing’ private sector operational data to the internet, you are offering systems and data to attackers. Should this not be a criminal offense?
In preparation for BREXIT I suggest UK organisations step up their competencies and I don’t mean with qualifications, common sense, otherwise they are preparing to fail BIG time.