Discover more from Heuristic Security
No organization is immune
If you don't take care of the fundamentals, don't be surprised when you fail
PwC, as reported by Brian Krebs, conducted a great post-mortem analysis of the ransomware attack on Ireland's public health system. It highlights two persistent failures that I see consistently. For all the harping on log4j (the latest disaster that highlights how unprepared most organizations are in dealing with security), until these issues are addressed, the breaches will just continue to increase in frequency and severity.
Thanks for reading Heuristic Security! Subscribe for free to receive new posts and support my work.
First, failure to take security seriously, as demonstrated by the lack of dedicated security leadership and focus. “The HSE assessed its cybersecurity maturity rating as low,” PWC wrote. “For example, they do not have a CISO or a Security Operations Center established.”
Second, the failure of a compliance-based, vs risk-based approach to security. "A common refrain I heard from those interviewed was that if it was security-related but didn’t have to do with compliance, there probably wasn’t much chance it would get any budget."
Pay now, or pay much more later. Business leaders need to learn the lessons from these constant failures and respond appropriately (this does not include burying your head in the sand and saying it won't happen to us).