• About 22CW
  • Who is 22CW
22nd Century World

Ransomware Heists are Only Part of the Board’s Problems

July 11, 2017 by 22nd Century World

By George Platsis & Paul Ferrillo

Originally published on Tripwire, July 10th, 2017

It’s 10:00 am Monday morning and management is in the hot seat. The stock has lost 15 points since the opening bell and is going in a downward spiral. The company is being maligned on the news and trolled on social media. Shareholders are demanding to know how the company allowed a breach to happen over the long weekend, exposing 100 million pieces of personally identifiable information. An emergency meeting with all available board members is called for 1:00 pm to discuss the state of affairs and the question, “What do we do now?”

Ready to present, management and IT hastily put together a presentation of what happened. As soon as the presentation starts, the unthinkable occurs: ransomware takes control. Its demands are simple: $50 million in Bitcoins within one hour, or at 2:00 pm the hacker group dumps corporate R&D and emails from the last year into the public domain. There is no way for the company to recover once this information goes public.

How was all of this allowed to happen?

In times of desperation – and yes, we should consider ourselves in those times right now – friends help friends out with honest and straight talk, not with fluff, pats on the back, or empty comments of consolation. You need to address the illness, however blunt that may be.

If you ever find yourself in the nightmare scenario listed above, it is for one of the following reasons:

  1. You did not spend enough time discussing all matters cybersecurity.
  2. You did not ask the right questions – as a director – on all matters cybersecurity.
  3. You honestly and legitimately did not know how these cybersecurity matters could impact your company.
  4. You had an IT department and/or CISO/CIO/CSO tell you everything was “A-OK” and you – naively or not – believed them.

It is harsh truth to hear this, but better to hear it from us than from plaintiffs or regulators. All we can do is make you look down at your shoes and feel bad. Courts (and the markets) make you feel pain.

If the WannaCry attack did not get your attention, it should have. But you may be asking: “What could I, as a board member, have done to stop these ransomware attacks? Is not that a job for my IT department?”

Yes, it is a job for the IT department but it is also a job for you – as a board member – to make sure the organization is run in reasonable and “heads up” manner. Remember, if everything tears apart at the seams, you will be asked: “Dear Director, what did you do to prevent this?”

If your response is a blank stare or a Homer Simpson-like “I dunno,” then sunshine, you’re going to have a problem on your hands the likes of which you may have never seen before.

By contrast, if your response is, “Well, Senator, we performed a vulnerability assessment in the following areas, found these deficiencies, and took these corrective actions,” you may find yourself in a much better place.

So, what questions should you ask of your organization?

…read the rest on Tripwire…

Posted in: Cybersecurity Tagged: cybersecurity, network security, risk management, strategy, vulnerability

Categories

July 2017
M T W T F S S
« May   Aug »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Recent Posts

  • Multilateral Cyber Interests Will Rarely Align
  • Before You Declare Your Enemy, Be Sure of Your Interests
  • Cybersecurity Starts With Basics
  • Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity
  • Ransomware Heists are Only Part of the Board’s Problems

Archives

  • August 2017
  • July 2017
  • May 2017
  • April 2017
  • March 2017
  • December 2016
  • July 2016
  • June 2016
  • May 2016
  • November 2015

Tags

artificial intelligence awareness big data byod change management communications cybersecurity data security education encryption foreign relations healthcare human element information security innovation legal machine learning mobile computing network security policy politics ransomware risk management security social engineering strategy threats tokenization training vulnerability WannaCry

Copyright © 2022 22nd Century World.

Omega WordPress Theme by ThemeHall