Disturbing news today that U Cal San Francisco School of Medicine paid a $1.14M USD to a ransomware group after it had breached their systems. Shameful and irresponsible for those in the UCSF IT organization. Cybercrime in all its variants continues to grow dramatically at the individual citizen as well as large entity levels. Email and phone scams and ransomware attacks on the average user are pervasive. Too many users out there just do not take even the simplest of common sense steps to avoid getting harmed by these attacks and the monetary impacts alone can be significant. However, when I see major universities and enterprises getting nailed – it irks me to no end. Far too many entities do not place enough emphasis on security and they either do not hire properly trained/certified/experienced security experts an/or do not place enough focus on security as a critical factor. Developing in-house or purchasing a security package from the marketplace is only one step towards securing one’s systems and data. Security is not a one step/one time thing. It requires a deep study and understanding of the overall architecture of the systems and how security is applied. Systems change and when they do potential security impacts tend to not be considered far too often. It requires constant vigilance 24X7 and security redundancy in multiple levels.
The hackers out there appear to get smarter each day – heck they have open conventions on ‘how to’ do this stuff. With tech advances comes toolkits which they turn the uses to do evil.
But again – if an entity wants to secure what they have – it starts at the top of the exec chains esp the CIO, CTO and CSO levels. Two decades ago I recall going into meetings with these types of Visa or Microsoft customers – many were on top of their game for sure and then there were a few that made me wonder how did they ever get the job. They were about as qualified to head a tech organization as I was ready to teach Quantum Physics at some University.
With system breaches continuing to fester, will technology organizations ever learn that solid security is at the top of the priority needs ?