Whatever you choose to do, though, the next step needs to be doing everything possible to make sure it doesn’t happen again instead of breathing a sigh of relief that you got your data back and continuing business as usual. That would seem to be the common mistake here.
Don’t make that mistake.
Security pros, where do you fall on the debate on paying or not paying, and does this report change your thinking?
A good chunk of these breaches are not someone actually trying to steal data, but just someone trying to either make something more easily accessible outside of the office or taking information when they leave related to things like contact information, maybe some documents they’ve written themselves that they want to keep, etc.
It’s likely that these folks aren’t actively trying to commit some sort of corporate espionage, they just aren’t really thinking about what they do. It might just be that the once-per-year required video just isn’t enough to make it top of mind every day.
The Check Point folks, naturally go on to point out how investing in security tools and education to prevent ransomware in the first place is the less expensive option, and even though they clearly have a vested interest here, it’s hard not to agree with the basic premise.
This is the crux of the problem. Personal information is going to be breached, eventually. There is no 100% secure data. None. No business, government entity, non-profit, or any other place that collects and stores data is completely secure. The only true security for personal information is to not have it. To have not collected it or delete it once it’s no longer needed.
That is the radical re-think that is necessary. It’s also the complete opposite of everything these organizations have been taught and incentivized to do. If we are going to pass federal privacy laws, this should be the central theme.
I’m not sure that these companies have done the math. If enough experienced workers in an industry do more than switch between competing offers but step away from the industry into a different career path, there will not be enough experienced workers to go around.
What are you going to do about that? Sit around with unfilled positions and cry about it, or get serious about raising up the next generation of cybersecurity talent?
On the one hand, I have argued before that we need to hold people accountable because, without a stick, our people will not have as much of a reason to care in the first place. On the other hand, a couple of the stats from the report that Doug pulled out tell me something different:
See a sample before subscribing here