$10 million.
That’s how much it’s going to cost the city of Baltimore to recover from a recent ransomware attack that took down vast swathes of the city’s services. Thankfully, city officials aren’t paying that money out to the criminals responsible for the attack – instead, they’re using it to update the city’s cybersecurity.
It’s a measure that’s long overdue. At the same time, it’s hardly surprising that it took a devastating ransomware attack to wake the city up to the possibility that it was a target. Every organization has cybersecurity blind spots.
In Baltimore’s case, it just so happened that the blind spot was the fact that its entire approach to cybersecurity was flawed.
This is unacceptable. At the risk of sounding like a broken record, the cybercrime industry is booming. As we bring more systems and data online than at any other point in human history, businesses in both the public and private sector need to own up to their duty of care.
In short, they need to do better.
It is unlikely that your organization’s approach to cybersecurity is quite so poor as Baltimore’s was. At the same time, there are probably weaknesses you aren’t aware of. The good news is that you’ve already taken the first step to addressing them.
Awareness. Now that you know there might be a problem, you can take the necessary measures to address it. Ask yourself the following questions.
- How involved is your IT department with your organization’s overall culture? What role does IT play in business decisions? Do your IT professionals regularly involve themselves in meetings and endeavor to understand the needs and workflows of other employees?
- What process does your organization have in place for permission and account management when terminating an employee?
- What vendors does your organization work with, and what measures do they take to protect their data and infrastructure?
- How does your organization handle onboarding of new devices and users?
- What non-business devices are present on your corporate network? Do these devices represent a cybersecurity risk?
- What sort of training does your organization have in place for social engineering attacks such as phishing emails?
- How do your employees typically communicate with one another? Do they share any sensitive data as part of those communications?
- Has your organization invested in cyber-insurance?
- Are your security policies, procedures, and processes well-documented?
- What is your update cycle for corporate software?
- How are you dealing with Shadow IT?
These questions aside, the best way to find flaws in your security that you yourself may have missed is to bring in a third party. Hire a security analyst to examine your ecosystem from top-to-bottom, and have them report back to you with any issues they find.
With their help and through their recommendations, you can move away from your cybersecurity blind spots and towards a better overall security posture.