Prologue: There are many opinions and points of view with regards to the origin and nature of COVID, response to the pandemic (or plandemic if you prefer) and vaccinations. I’m not here to express any opinion, but will borrow from these events as I briefly use vaccinations as a metaphor. And thanks for my former colleague Jason Popp for coining the phrase that I’m borrowing.
In a comment to a LinkedIn post about ransomware, Jason said, “If ransomware is a pandemic, then most organizations are anti-vaxxers.”
Brilliant.
I’ll state this another way: the tools and techniques for ransomware prevention have been around for decades. Decades. By and large, organizations hit with ransomware are not employing these techniques effectively, if at all. Implicitly, most organizations choose not to employ the safeguards that would prevent most ransomware attacks.
Why? Good question. Perhaps it’s normalcy bias. Or that cybersecurity is too expensive, or inconvenient to users, or that it’s too hard to find good cyber persons. Or, cybersecurity is a distraction from the organization’s mission (and ransomware isn’t?).
Ransomware presents several challenges. First, most companies that pay ransoms still don’t get their data back. And, more recently, the U.S. Treasury department Office of Foreign Assets Control (OFAC) has cited that paying ransoms to cybercriminals is a violation of OFAC laws.
The solution? Perform or commission a risk assessment. Hire cybersecurity professionals who knows how to fix deficiencies and manage effective security governance, operations and response.
Or, just stop using computers.
Peter H. Gregory 