May 25, 2021
The Colonial Pipeline security breach that struck in early May knocked out a critical pipeline that runs from Texas up to the mid-Atlantic region and supplies 45% of the fuel used on the East Coast. It was a ransomware attack at an entirely new level, not only costing the pipeline operator millions of dollars, but most likely driving up the cost of gas for millions of Americans just as we are entering the summer months.
While large scale attacks like these seem to be getting more brazen and sinister, there are hundreds more happening every day to organizations large and small, including hospitals, government agencies, educational institutions and retail chains. To quote Chris Krebs, former top cybersecurity official in the Department of Homeland Security, testifying before Congress last week, “We are on the cusp of a global digital pandemic, driven by greed, a vulnerable digital ecosystem, and an ever-widening criminal enterprise.”
No one likes making major decisions based on Fear, Uncertainty and Doubt (the FUD principal), so let’s approach the subject a different way. First of all, let’s remove the words “uncertainty” and “doubt” right off the bat. If you are a company with valuable assets – customer data, health records, credit card information, trade secrets or other intellectual property – there is no doubt that you are a target of cyber criminals. They may not have gotten to you yet, but you can be certain that they are coming.
That leaves us with “fear.” As Dale Carnegie once said, “”Inaction breeds doubt and fear. Action breeds confidence and courage. If you want to conquer fear, do not sit home and think about it. Go out and get busy.” In other words, fear is the opposite of confidence. And confidence only comes with understanding, preparation and action. The most important thing that a company CIO needs to address every day is security: a multi-pronged comprehensive security approach with a trusted, reputable solution provider. And that must be coupled with a solid business resumption/disaster recovery plan that is continuously evaluated and tested against new cybercrime weapons.
There have been so many companies that thought they were secure only to find out the hard way that they weren’t. We believe it’s healthy to accept the fact that you may not be able to stop every attack. Therefore, your ability to recover quickly is equally paramount. In the case of the Colonial pipeline, the company said it would take at least a week to “substantially” restore its operations. For some organizations, that could be weeks or even months, depending on the size of the data and whether you still have access to an intact back-up catalog.
What is the Cost of ONE DAY of Company Downtime?
Most companies are taking steps to secure their environments; however, in many cases they are still not always investing in the correct areas and right technologies due to the cost factor. What most fail to realize is that the cost of securing your environment properly now is far less than the likely ransomware payment to an extortion group and recovery costs associated with most modern cybersecurity incidents. Operational losses and damage to an organization’s reputation can exceed even the costs associated with recovery in many instances.
Having a good understanding of where an organization is vulnerable and then investing in those areas with the right technologies is key to securing any environment.
Let’s Have a Real Discussion
Here at CPP, we don’t consider ourselves to be smarter than any one of our customers. Because of the nature of our business, we have the ability to take the collective experience of hundreds of projects across a wide range of industries and apply it to future challenges. That’s something that our customers greatly value.
If cyber criminals can stop oil flow to our country, think about what they can do to your company. Hopefully, you are already discussing a multi-pronged comprehensive security approach with a trusted, reputable solution provider. If you aren’t, please reach out to CPP as soon as possible for a meaningful conversation (we promise no hard sell). We will help you protect your company with advice and if appropriate, upgrade your security solutions and assist in the development of a business resumption/disaster recovery plan.
Eliminate the FUD principal. Let’s get you to a place of confidence, preparation and action.