Last week, national news was made again as 23 local governments in Texas were hit with ransomware. The attack was very damaging, paralyzing city services and communications, potentially leaking sensitive data and causing the permanent loss of critical, historical files. This ransomware attack comes on the heels of two (2) other ransomware attacks that have grabbed national headlines over the past few months (City of Baltimore, Maryland and the City of Atlanta, Georgia).
Today, cities and governments of all sizes are consistently in the news as being victims of ransomware. Yet amazingly, these organizations seem to continue to employ the same cyber-security strategies and IT professionals who want to focus on simply “patching” and “hardening” existing Microsoft Windows environments, a strategy which has proven to be inadequate at best and a dismal failure at worse.
And the IT community and the media just reinforce this behavior as article after article continue to make the case that the answer to government ransomware attacks is to spend more money on “Windows security”. “Make sure your virus programs are up to date”. “Make sure you have backups of all of your data”. “Make sure you have the latest and greatest network security.”
On the surface, spending more IT money seems like logical reasoning. But, if you step back and examine this hypothesis, the idea doesn’t seem very logical at all.
Consider this analogy:
Say you see the need to provide taxi service to your community. So, you invest in some automobiles and hire some drivers, deducing that the income derived from taxi fares would far exceed the cost to purchase the vehicles and hire the drivers, making your business idea a very profitable venture.
But, within a few months, you realize that you are going to have to also offer your driver’s health insurance and various other benefits if you want to retain them. Since your business is making a very hefty profit, you oblige, thinking the cost of the benefits will barely dent your total profits.
However, it is not long after adding the benefits that you start receiving complaints from your customers about the dirty vehicles that are picking them up. Not wanting to lose your customer base, you cut into your profits again and invest in a car wash facility that your drivers can use before hitting the road every morning.
Soon after adding the car wash, your drivers then begin complaining that vehicle maintenance lights are coming on, the tires are balding and the brakes are squeaking. It is then you realize that you need to build a maintenance facility to keep the vehicles running. So you begrudgingly spend additional monies on the facilities which further shrink your profit margin.
After a few years in business, you think about how much you dislike dealing with HR issues and keeping the vehicles in service and how the majority of your profits are now going into areas that have nothing to do with the taxi service you originally set out to provide.
Meanwhile, another person comes up with a different kind of taxi service that not only allows them to offer their service to a much greater audience than you, but they do not have to purchase, maintain or sale of any automobiles nor do they need to pay employee benefits to their drivers. Who do you think will have fewer headaches and be in a better position to make more money? You or the guy with the new idea?
Well, if you have any doubts, just look at the story of Yellow Cab and Uber as this is their story. In 1907, Yellow Cab came up with and kept funding an idea that worked for over 100 years – that is until 2009 when Uber came along with a better idea. The result – Yellow Cab filed for bankruptcy and Uber is now a billion-dollar company.
Just as it would not make sense to continue paying for a fleet of vehicles to sell taxi service, so too is it illogical to continue pouring money into local legacy Microsoft Windows environments if better alternatives exist.
Yet, if you walk into virtually any government body today, you will see department after department dependent upon Windows networks, servers and machines which are managed by IT professionals or consultants who, for job security or financial reasons, have no motivation to change the status quo.
Moreover, government organizations are often very resistant to change as a government is not dependent upon how productive they are and neither government employees nor their representatives face the same consequences of wasted money or data breaches that a private sector business or employee might face.
The good news is, there are viable ways for any organization to significantly reduce their exposure to cyber-attacks. At Cave Consulting, we believe in a (3) step approach:
STEP 1: EDUCATE
A cyber-security professional is engaged to educate your IT team, employees and elected officials. They can tailor a security solution around your organization’s specific needs and help arm individuals with protection against would-be cyber-criminals.
STEP 2: HARDEN
A cyber-security professional is engaged to help you harden your local Windows-network and/or your Windows network is virtualized. These security experts can properly configure and manage firewalls, provide secure logins to local devices and monitor network and cloud application activity and virtualizing your local Windows network will transfer much of the cyber-security responsibilities off of you and onto a group who is better equipped to secure your data.
STEP 3: AVOID
You completely eliminate your local Windows environment by moving to cloud-based applications such as GSuite and replacing your Windows machines with more secure Chrome devices. This will greatly reduce your chances of becoming a victim of a cyber-attack which typically focuses on the insecure Windows Operating System.
Cities that heed this approach will not only make better use of the taxpayer’s money but will be less of a cyber-security target and will be able to reduce the negative effects of a successful attack.