Following the recent international cyber-attacks, Phil Beckett, MD for the Disputes and Investigations practice at Alvarez and Marsal commented:
“The nature of the recent international attacks demonstrate that data security is not a sector specific issue. Industries ranging from health services to delivery firms have been affected, despite being diverse in nature. This includes both the types of technology they utilise and the countries they operate in. However, they all shared one commonality, which left them vulnerable to attack: they were using out of date operating systems and applications.
When it comes to data security, there is a tendency for discourse to be focused around the technology at hand. However, the reality is very different. Although the attacks were a result of outdated systems, the causes of outdated systems being left running is the crux of the issue. A lack of investment and appropriate processes, controls and updates lead to outdated systems. Furthermore, a lack of preparation for response – meaning no training processes to help firms protect themselves from attacks, including having staff training for all levels, escalation mechanisms and public relations management in place – not only left organisations vulnerable but caused the problems to be blown out of proportion. This was true whether their systems were outdated or not.
The reality is, all organisations and their employees need to be aware of and educated on cybersecurity threats. For this to occur, three things must be in alignment:
- i) Unlike dogs, computers really are just for Christmas instead of for life. Their operating systems and applications must be consistently upgraded, added to, and invested in, to ensure that optimum protection can be achieved.
- ii) Situations like the one we’ve seen hit the globe this week are avoidable. Good patching policies and procedures need to be in place to ensure you are up to date with the latest patches and therefore not vulnerable to attack.
iii) Multi-layered protection is the way forward if organisations want to ensure that they aren’t leaving anything to chance when it comes to combatting cybersecurity threats. There is nothing that beats multi-layered protection, because if one control fails then another can kick in to stop a threat from growing into a problem.
The businesses hacked may have been able to prevent the attacks by taking proper precaution and ensuring systems are up to date. Having properly trained experts to identify the need for new software, or enough people on the ground to prevent the attack can help businesses mount an effective defence. It’s becoming more and more obvious that the C-Suite needs to incorporate cyber risk into risk management strategies, not only to mitigate risk but also to comply with the ever-changing legislative requirements.”