Ransomware and Protecting Your Public Image
Least Privilege, Data Security, Data Governance and the Trusted System Standard
Costs of ransomware and breaches, not in any particular order:
- Paying the ransom
- Isolating the impacted system
- Notifying the impacted customers
- Loss of critical data
- Even if the ransom is paid, the organization is now the target for follow on attacks.
- Reverting to paper-based processes
- Replacing vulnerable legacy systems
- Decline in share prices
- Increasing insurance costs
- And not least, public mistrust
Ransomware attacks and data breaches are in our daily news feeds. I have yet to meet anyone who has not received a notice from some company that their information was part of a breach, and, an offer of a “free” subscription to monitor your credit record going forward. Personally, I close out my account and as a resident of California, request to be forgotten by the company. I don’t participate in customer loyalty programs anymore, either!
The companies whose data has been held for ransomware or have had their data breached, pay not only to “fix” the specific breach in the list above but also pay a reputational toll and loss of the public’s trust in the company’s ability to protect their information. Operationally, the company has to identify all systems of record to identify whether or not PII, PHI or company confidential information exists in them. If your website has a contact us page – you are gathering PII. Is it identified in your data map as a potential data source?
In a recent data mapping project, over 70 separate applications held private data AND there were documents and records across hundreds of shared drives and in personal cloud drives. Documents with restricted access were in places with out access controls due to all these copies. Least privilege rules, including redaction of specific words and phrases, were applied in the various applications once the documents got there. It was in the ingestion process through email and third party applications that least privilege became most privilege.
Is mere redundancy enough to protect your business? Redundancy, in data backups, is a de facto standard in a business continuity plan. However, those very back ups are a target for ransomware attacks, creating the very disaster they’re meant to address.
Putting in a ransomware-proof real-time business continuity application, like Assureon, is an excellent solution. But first, the data mapping has to be done and/or updated so you know where to find the data/records/information that need to be in Assureon.
When was your records and information policy, including a records retention schedule, last reviewed and updated? Is it published per the latest DOJ guidance as an online, searchable document? Do you have records of employee attested training as to how data/records/documents are managed? Without these components, the C-Suite cannot assure their stakeholders that the company information is secure and well-managed. To maintain trust, constant vigilance in the C-Suite is necessary.
Contact us today, Western Integrated Systems has the experience and expertise to implement and audit this end-to-end records and information lifecycle process to meet the Trusted System standard.
0 Comments