White House, businesses hit snooze button after Petya, WannaCry wake-up calls
Despite devastating impact of cyber attacks, motivation to spark preventive action lags
By Paul Innella, ThirdCertainty
WannaCry was a wake-up call. Petya is a wake-up call. Last I checked, wake-up calls were meant to bring about change.
After WannaCry, we saw a massive surge in patching around the globe, not to mention a 22-year-old “accidental hero” in the U.K. who helped halt the malicious software. It’s proof that beating the drum continuously to public and corporate institutions about serious cyber defense tactics doesn’t seem to do the trick, and once again we will see a tangible drop in cybersecurity activity until the next big attack. It will only keep getting worse.
Related story: Trump signs executive order to improve cybersecurity
The question is quite simple—why aren’t organizations doing more about this? We witness the answer every day: Most organizational leaders refuse to support their internal teams when asked for procedural change or proper funding for cybersecurity defenses—which cuts their bottom line.
In practice, it’s quite easy to see the lack of emphasis given to cybersecurity when it warrants only 3–6 percent of IT budgets, and oftentimes that number includes risk management. Moreover, our community just now is scratching the surface of providing tangible cybersecurity reports to the organizational board level, meaning its level of import is still not equal to that of numerous other reporting requirements.
There are strict physical safety measures imposed on numerous industries, like seat belts and airbags, yet we need look only at the current U.S. administration and its public stance on cybersecurity to see an instance of unbelievably insufficient governmental policy.
The entire intelligence community and the cybersecurity community that supports the government knows and has known the Russians have sophisticated teams and methodologies that have been used to attack us for years. This administration seems to have turned a blind eye on our national defense given their consistent refusal to admit Russia’s complicity.
This makes a bold statement that the White House has no intention of preventing, at a policy level, cyber attacks. There are still gaping holes in the federal CISO and White House CISO positions and we haven’t received any movement in policies or executive orders of any substance.
More stories related to better cybersecurity:
New York financial regulations could signal cybersecurity sea change nationwide
Looming GDPR mandate requires sea change in corporate cybersecurity tactics
Security by design: Embed protection during software development
Most businesses unprepared for email-based attacks