Learning Organisations – Does yours really walk the walk or just talk the talk?


Well its 10+ days since the WannaCry ransomware hit the UK headlines causing havoc in the NHS and for many organisations not directly involved, life has moved on. In business, new customers need to be won, services and products delivered, invoices sent and money banked. So, the cycle of (business) life continues and the threat to that process posed by the very technology used to deliver it all, is conveniently forgotten.

Yet around the corner, if the analysts and market commentators are to be believed, is a more pernicious malware, which doesn’t just use two of NSA’s leaked hacking tools, but all seven!

So, the key question is, how many businesses who escaped being affected by the WannaCry incident will have bothered to study and learn from its lessons to better prepare themselves for what might at some point follow? Here are 5 lessons:
Vulnerability patch management.

Do you know what vulnerabilities your systems have and have you patched to close them out? A cyber security health check could help your organisation understand this situation and the accompanying report help manage remediation.

Unknown / redundant assets.
As systems evolve, elements fall into disuse and get forgotten. These become vulnerabilities and easy entry points for the hacker. If you don’t know what you no longer need, then an internal (informal) audit of your systems could soon help inform you.

Network Segmentation.
If someone does breach your system, do they have free reign from that point onward. The key phrase here is Secure by Design. A good security architecture can help reduce the risk to your organisation should you have a breach. Are your systems designed with this in mind? The advice of an IT Security Architect could not only pay dividends from a security perspective, but engaged early in any IT project’s life-cycle could actually save on your IT costs too?

Consequences – the reality.
Often the terminology associated with hackers, cyber breaches and efforts to prevent them resort to game like language, like “cat and mouse.” But as clinicians, managers and patients count the costs of cancelled appointments and operations and sadly maybe even fatalities too, its clear to them that this is no game. Maybe for some businesses the stakes are not quite so high? But it might be imprudent to underestimate the impacts of an attack on your organisation? So, a robust security strategy including proper risk analysis and management, particularly in light of the impending introduction of the GDPR might be a lifesaver for your business?

CIA (Confidentiality / Integrity / Availability).
This acronym is often used in association with IT security and the one often overlooked is the last. When the victims of a ransomware attack, businesses readily recognise the cost of the ransom they have to pay or the experts they have to employ to unpick their situation. But forget to count the cost of lost orders, idle staff and disgruntled clients. If your business’s systems were to “go down,” rendering them unavailable, what would be the impact, both reputationally and financially? A mature (cyber) security strategy should understand this and help inform the business’s approach to not just its investment in IT, but staff training, communication plans and business continuity plans as well as how it manages its relationships with customers and suppliers.

With increases in cyber crime and changes in the regulatory and legal environment with the introduction of things like the GDPR, will your organisation merely pay lip service or actually walk the walk?

Share this Post

Rate This Article
1 Star2 Stars3 Stars4 Stars5 Stars 1 votes, average: 5.00 Loading...