PwC, as reported by Brian Krebs, conducted a great post mortem analysis of the ransomware attack on Ireland’s public health system. It highlights two persistent failures that I see consistently. For all the harping on log4j (the latest disaster that highlights how unprepared most organizations are in dealing with security), until these issues are addressed, the breaches will just continue to increase in frequency and severity.
First, failure to take security seriously, as demonstrated by the lack of dedicated security leadership and focus. “The HSE assessed its cybersecurity maturity rating as low,” PWC wrote. “For example, they do not have a CISO or a Security Operations Center established.”
Second, the failure of a compliance-based, vs risk-based approach to security. “A common refrain I heard from those interviewed was that if it was security-related but didn’t have to do with compliance, there probably wasn’t much chance it would get any budget.”
Pay now, or pay much more later. Business leaders need to learn the lessons from these constant failures and respond appropriately (this does not include burying your head in the sand and saying it won’t happen to us).