An EkaLore - HFT Learnings post - by Arnold Kwong
We’ve been running a data breach story, “The Hunt for Talent” in Serial Lore format at the EkaLore site. Read at https://bit.ly/3nbo4Qy
The general media, trade press, and specialty technical discussions have recently focused on “ransomware” data breaches in health care institutions globally – Ireland, Germany, New Zealand are notable instances besides the USA (an FBI/CISA Advisory AA20-302A, October 28, 2020).
Ransomware is only one type of crisis that hit enterprises. In many cases demand for specifically skilled staff is critical during an incident. Senior management is constantly deciding between preparing for an ‘incident’ or taking steps to avoid future ‘incidents’. An incident could occasion urgent needs for specially talented people in subject matters as diverse as biosafety, pandemic preparedness, environmental health and safety, or architectural safety (earthquakes). Senior managers are rarely deeply credentialed in such specialties as well as having spent years gaining managerial and administrative competencies. In many of these areas spending to prepare/blunt an incident is simply a ‘deferable cost’ that management avoids. Costs are avoided with similar rationales to ‘deferred maintenance – and similar eventual results.
In computers and networks specialists talk of “technology debt”. In laboratories “calibration” and “biosafety audits” are important. A key lesson learned from pandemic preparedness is the need for critical inventory stockpiling and rotation of personal protective equipment and training. Strengthening buildings against weather, earthquakes, and deterioration never seems like a ‘this year’ priority. Environmental management audits (like the ‘paint shop waste’ of past years) find toxins and pollutants in facilities. In short, the deferred and avoided costs result in career terminations and steep remediation costs when an incident occurs.
Actions management can take to effectively limit risks:
1) Start with assessments and evaluations relevant to your enterprise (or institution) – budget for these to be performed and schedule time to discuss them to educate management on real choices
2) Governance must hold management to budgets and actions that meet the longer-term needs of the enterprise – such as making sure that lab equipment is calibrated and replaced when obsolete or PPE is rotated.
3) Choose a talent-deployment strategy that applies talent and effort to risks at a level the enterprise can afford (for example, use outsource talent to work data security where countermeasures need regular updating but not constant expenditure).
Do these steps seem too hard? Is it too soon to take these actions? If you wait too long then your enterprise will be engaged in a Hunt for Talent.
Germany Reference: https://www.zeit.de/digital/internet/2021-02/hackerangriffe-bsi-arne-schoenbohm-cybersicherheit-krankenhaeuser-dirk-haeger/komplettansicht
If you’d like to talk about this in more detail reach out to us at: https://bit.ly/3bch955
留言