It seems like not a week can pass by without hearing of another large scale data breach. And last week was [sadly] no different with the news of a large part of the National Health Service (NHS) in the UK being brought to a halt by the #wannacry malware that infected hundreds of thousands of machines across the world.
And the sad thing about this hugely public attack and breach was that it was entirely avoidable if the organisations affected had had an effective data management and security policy in place.
Many organisations, including Microsoft had identified the #wannacry ransomware and its variants around 3 month prior to the widespread attack and had put out an update to counter the threat. However, despite notifications from Microsoft and others, as well as the tried and tested policy of maintaining systems by ensuring they are always kept up to date with the latest hotfixes, updates and patches, many organisations suffered outages and loss of data that will run into the hundreds of millions in cost terms. For the NHS, the wider impacts will not be known for some time to come but the short term impacts on the hospitals, surgeries and ultimately their patients was significant.
Although press reports of the #wannacry incident focussed mainly on the relatively low [perceived] value of the bitcoin ransomware payments to the cybercriminals, the more obvious cost was that of a general lack of trust in organisations to protect themselves from data loss, especially when that data is sensitive and highly personal in nature.
And for Britain’s NHS, the data as well as the threat of it being lost could have led to a much more catastrophic loss than money.
So where do we go from here ? in the past 2 years alone we have seen huge organisations succumb to data breaches that could have been avoided if they has taken the approach of outsourcing their security policy to expert organisations. Not only that, but the rate at which these organisations fail to secure their boundaries and thus suffer a data breach is accelerating.
To the average business leader, the EU-GDPR, PSD-2, PCI-DSS and many other regulations, directives and standards are almost impenetrable bar the headline or cover-text. And the fines associated with non-compliance are on the increase. All this though pales into insignificance when held against the loss of revenue associated with the sharp reduction in customer confidence and subsequent engagement following a data breach.
Organisations and Businesses need to catch-up and accept the reality that the best defence against losing data is never to have access to it in the first place. They also need to accept that this high level of outsourced protection comes at a cost which needs to be properly budgeted for.
As I sit here on my flight to the CNP event, I can’t help but think that It really is time to accept that protecting organisations and their customers from cyber attacks and data theft should be one of the top priorities for all businesses and not something that should be left to IT managers with dwindling resources and expertise to counter.
Ransomware such as #wannacry can and do wreak havoc. Don’t let your organisation be the next headline because of lax defences against the increasing threat of data loss.