II was asked whether I thought the recent Ransonware attack on the Columbia Pipeline would finally wake up companies to looming threats. My response was why? What makes this different? Over the past few years haven’t there been a steady stream of breaches and ransomware attacks? Indeed there has been!
Yet what I see is the steady erosion of IT and Cyber Security in the eyes of the typical senior executive. They view it as a commodity product and in many companies have even kicked “IT” out of the C-Suite. Why companies continue to be cheap with their IT Infrastructure and their Cyber Security shows that there are very few penalties for breaches. Yet the fines being imposed by Cyber crooks are not trivial. Further, the so called double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy and not release any data stolen from the victim, are huge.
Ask yourself these questions:
What would be the damage to your organization’s reputation for a breach confidential data?
What is the amount of Ransom you can pay before it makes more sense to shutter the business?
I lay the blame at the doorstep of senior executive management that are being pennywise and pound foolish. I deal with these types every day. They expect IT to be free and downloadable. They expect they can buy their complete cyber security solution on Amazon. They believe they can just plug in a firewall, install software, and ignore proper configuration. They suffer from an install and forget mentality.
As we have seen over and over again, these fools are only fooling themselves, hurting their investors and customers and enriching and enabling the cyber crooks.
What part of the “Ransonware as Service” memo did they miss?
So do I think things will change? No. Until there are severe regulatory penalties, and/or shareholders ire toss out incompetent management, not much will happen.