At first blush, many of us would see this article and immediately file it away in the back of our minds as yet another example of the pervasiveness and destructive nature of ransomware. To be honest, we would not be wrong to reach that conclusion, but I want to challenge you to read a little closer this morning. There is a small ray of hope in this article that can be easily overlooked. The governor of Louisiana is declaring a state of emergency because of these ransomware attacks, but he is doing so because the state of Louisiana has a plan!
The state of Louisiana has a Cybersecurity Commission and a well defined, properly tested and well funded incident response plan. They are prepared to respond to and address these ransomware outbreaks. Resources from state police, the Governor’s office of Homeland Security and the Louisiana National Guard are being coordinated and rallied to the cause of mitigating these attacks. That fact is both noteworthy and exciting. Preparation and proper incident response is an absolutely vital component to any cybersecurity program. Far too often, organizations find themselves shocked, flat footed and lost when ransomware strikes. But not in the Bayou state. Kudos to Louisiana for having a plan!
This article provides tremendous advice concerning a vital component of IT security often overlooked and ignored. To simply state the obvious – communication is key. Yet, in the world of IT security, we very quickly get lost in a sea of technical jargon and alphabet soup acronyms. Technical speakers often get their audiences lost in the weeds of the “how’s” and “why’s” a security control is needed or a risk is eminent, yet those same speakers never realize anyone is lost because they alone hold the map and never look back.
We as IT professionals need to understand our audiences and their capacity for understanding and reason. Technical controls and eminent risks should be translated into real world examples and practical analogies. We need to be succinct, clear, and timely in our comments. We need to choose our conversational battles and not find ourselves perpetually holding an umbrella while ranting as the sky falls around us.
And above and beyond all of these things, we need to shut up from time to time and truly listen. We need to hear what management teams and end users have to say. We need to ask for and receive with a decent modicum of humility constructive criticism about what is working in the security practice and what might be a significant hinderance to business success. There is always more than one way to tackle a problem, and though many of us have our favorite ways of doing things, those favorite approaches do not hold exclusivity when it comes to what is right for any given business environment.
It thrills me to be able to post an article with this title. I honestly do not believe there is anything more important and more impactful to the overall security of any organization than effective user awareness training. An increase in effective training is an increase in overall security.
I have been a student of and an advocate for the SANS Institute for many years. Lance Spitzner and his team do a marvelous job spreading the word of awareness and safety online. This report is a good resource and a worthwhile read. Enjoy!
Just when you thought it was safe to go back into the water….or at least to sail upon it. In all seriousness, these types of warnings and attacks are indicative of the lengths to which cybercriminals will go to steal, pillage and attack. Be cautious and take the time to evaluate cybersecurity controls at every level of your organization.