Information Governance Insights: FAQ – Cybersecurity

Robin Woolen, MBA, IGP has worked in the field of information lifecycle management since 1994 with a specialty in strategic consulting focused on enterprise-scale information management.
If you’ve been working in the Information Governance field for a while there are certain questions that continue to pop up. Some you will have a standard answer for and some that will change over time as technology or best practices evolve. In this article I would like to continue the series and give you another question and how I answer it so you can be ready for them as well. This is a more recent one that is becoming more common:

Cybersecurity is a critical concern for any organization, what are the areas that you recommend be focused on to ensure these risks are mitigated?

I am firmly in the camp that says every organization will be hacked at some point. The technology that is used to build malware has advanced, just like all software, to the point where virtually anyone can purchase a malware engine with a simple user-friendly interface and create a hack in a matter of minutes.

These packages are so prevalent that there are hundreds of thousands of hacking attempts every day when coupled with bots that can run all day, every day in an endless loop.  If you look at it from a purely business perspective and compare it, say, to the theory of bulk mail marketing where it only takes about five percent to be considered a success you can begin to see the advantage of this type of “business”. Throw enough against the wall and some of it will eventually stick.

I am firmly in the camp that says every organization will be hacked at some point.
ROBIN WOOLEN
Couple that with the reports that an average loss to an individual is $7,761 and while we do not know what the loss figure is for organizations, we do know from these same reports that cyber-attacks cost the average organization 1.3 million dollars in 2017. That’s a lot of money for something that only needs about five percent to be considered a success.

This does not mean that organizations need to move massive amounts of money into purchasing cybersecurity software packages to beef up their current systems. Studies have shown that the most common attack began with a common fraudulent email opened by an unsuspecting member of the staff. This is known as “phishing” and it is used because it works, particularly when you send them out in the hundreds of thousands of email addresses at a time, and it only takes one person opening it to be effective.

Screening for these fraudulent emails can’t be the sole responsibility of the Information Technology team simply because of the sheer amount of these attacks. It is vital that training and education focus on this area, along with a robust internal testing program, to ensure the entire staff actively understands how to guard against these attacks. Cybersecurity must become everyone’s responsibility in order for it to be truly effective.

Another cybersecurity issue I find often is one that is overlooked and that is the issue of deferred maintenance. Many organizations got a wakeup call with the Wannacry virus that attacked organizations and governments worldwide in May of 2017. The worm attacked systems through a known issue in Microsoft based operating systems. If you neglected to patch your systems before you contracted the virus, you were at its mercy. System maintenance is always a concern when it comes to budget planning time. This is not to say that there should not be limits or any oversight when upgrading systems to the latest service pack or version, but system maintenance should have a higher priority than it has in the past.

The same goes with the level of protection various systems get based on a risk assessment. With the Wannacry attack, for example, the Equifax credit reporting service guessed wrong with a relatively benign system on a customer service site. There is always a tightrope to walk on which system to decommission or upgrade, but it should be obvious that system maintenance needs to have a higher priority than it has in the past.

Cybersecurity can be intimidating, and many organizations can easily overreact with massive budget increases implementing the latest technology when it could be quite possible to protect the organization from the most common security threats in a much less costly way. Continual training and testing of the staff coupled with an improved system maintenance program can go a long way to ensure your organization is protected. There is always time to implement software if it is needed. Try the other steps first.

Want new articles before they get published? Subscribe to our Awesome Newsletter.

CAREER ADVICE

Advice from top Career specialists

GOV TALK

Articles about the Public Sector

TRENDS

Public Sector Trends

Pin It on Pinterest