The threat is your “people” …. While the inquest into NHS Systems vulnerability is under way and the politicians line up to spend multiple Billions of pounds on promises to upgrade the NHS IT , the real threat remains inside an organisation.
The threat is your people
The uninvited ransomware was allowed into the various systems, at the various organisations and trusts, by a human being, someone who opened the attached file and permitted the code to execute. Systems are only as good as their last update and in the case of email attachments, only as good as the updated signatures as supplied by your security vendor and applied to any security devices in place to scan emails and their attachments. Sometimes unfortunately these are behind the curve and can never protect from every threat out there.
The threat is your people, the most junior to the most senior, sometimes the most senior are the worst offenders, why, because they have the power to prevent, delay and postpone replacement systems, upgrades and downtime. People simply rely 100% on their systems being immune from failure or attack, they open emails without thinking, in the blink of an eye allowing the attacker into their systems. People seem to think they walk into a Cyber Fortress when coming to work, that they are completely cut off and safe from any vulnerability and can act at will, then just call their tech team to resolve any issue there and then.
A properly formed upgrade or replacement plan that has all key stakeholders approval and is actually undertaken when planned can go a long way to help with the people problem. A well documented and written agreement for upgrades and replacements that contains agreed methods and timescales for the upgrade or replacement, and agrees key steps for any “roll-back” options that would give the system back to the key users on demand if needed, either during or after upgrades or replacements, would be a refreshing approach to upgrades and replacements.
The current attitude that down time is a last resort, has surely been seen for what it is during the WannaCry outbreak, it’s a short sighted, ignorant, irresponsible and foolhardy approach to security of critical IT Systems.
At the end of the day, it’s one or more of your “people” that are allowing this to continue. Until things change and IT Security is taken much more seriously then nothing much will change. The people have the power to change processes, attitudes, systems, but they also need the will to be determined in the face of the adversarial Senior Management Teams that ultimately are taking key decisions over critical IT systems.