Executive Management and the Board of Directors are asking Chief Information Officers (CIO) and CISO's about WannaCry this weekend. The illiteracy and complacency of key officials in business and governments across the globe are again evident today:
"The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday’s barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries."If you are an Operational Risk Management (ORM) professional in your particular organization, you may be on high alert. You may have had a few sleepless nights since Friday, as the wave of infections propagated across systems and networks running Microsoft operating systems.
Are you or your organization a victim? Why?
The illiteracy and complacency of senior management across commercial and government enterprises about information security, continues to plague our critical infrastructure sectors and institutions. In 2017, this fact is our greatest vulnerability and threat.
How does any legitimate organization both public and private explain being subjected to an exploit, that has been known about for months? What excuse could there possibly be, for not having patched a system, that is most likely far beyond "Out-of-Date"? There will be many excuses told and so many others trying to explain to the Board of Directors about the lack of funding or the vast complexity of a systems network. Yet here we are in 2017, with the same set of complacent attitudes and practices still in existence.
Emily Dreyfuss at Wired.com sums it up nicely from a government perspective:
"All of this underscores how digital illiteracy at every level of government endangers the security of the nation and the functioning of democracy. It takes a multi-pronged, concerted approach, with smart internal policies, federal legislation, tech savvy diplomats, and a willingness to realize information security is a critical skill for the defense of the nation—all of which is incredibly difficult to achieve even when a government is functioning well."At the dawn of the World Wide Web, many of us in the "Information, Communications & Technology" (ICT) industry, understood and studied the new ecosystem and battle space evolving before us. All of those subject matter experts and government officials, have been immersed in the Internet environment for over 20 years. Even to this day, we wonder why executives still "Don't get it."
In many cases we understand that not every executive is going to understand the tech vulnerabilities of ransomware. Yet are the same executives capable of understanding the simple concept of Disaster Recovery Planning? The ability to accomplish incremental and daily back-ups of data? We think they also can understand the concept of patching systems that are vulnerable.
The budgets devoted to ICT are in many cases a mystery to illiterate executives. CIO's and Chief Information Security Officers (CISO) would most likely say in general, that they do not have enough resources to fight the battle. This is known.
TrustDecisions that occur within the ranks of senior management are now maturing to the point of focus on building digital trust across the enterprise. The decisions to trust between humans is different than the decisions to trust between machines. Or is it?
Achieving Digital Trust requires a vast yet easily comprehended set of rules and policies. Is the United States losing the race for "Digital Trust?" Consider this blog post from Jeffrey Ritter:
"Advances toward digital trust, whether enabling commerce or government autocracy, require enormous resources to create the inter-dependencies and inter-operabilities that enable digital information to be functional and useful. The conspicuous absence of those resources is simply leaving the United States on the sideline. The disruption of digital trust may likely gain such momentum that no amount of “catch-up” investments will enable the combined assets of government and industry to catch up in the global, wired marketplace that now exists."
Executive management across America has a choice. You as an individual could raise your education and awareness level on your ICT landscape, in several ways. This in turn, may reduce the overall level of illiteracy and complacency across our critical infrastructure domains. This will eventually lower our vulnerability over time. Here is one solution: StaySafeOnline.org
Let us start the lesson by defining the landscape and the battle space. What is the "Deep Web?" It is that part of the online universe, that is not indexed by traditional search engines. But how large is it? When asked this question to many executives, they have no idea. Not a clue.
The "Deep Web" is 500+ times larger than the surface web and growing. The "Deep Web" is 7500+ terabytes vs. 19 terabytes that Google and others capture. Wake up and realize the magnitude of the problem-set, as you consider the next budget allocations for the safety and security of your enterprise.
The Trust Decisions you make with your colleagues, partners, employees, customers, communities and countries, will either make you more trustworthy, or will erode and erase trust. At the pinnacle of your next major Trust Decision, ask yourself whether you are truly "Achieving Digital Trust..."