A single unauthorized download recently crippled the Louisiana state Office of Motor Vehicles (OMV) by infecting the government network with ransomware. This caused many of the office’s email and internet services to be disrupted, as the cybersecurity response team had to disconnect large portions of the network.
Impacts from cyberattacks often go beyond financial losses, affecting your clients’ operations
Not only did the attack disrupt the government’s network, but it impacted businesses such as trucking companies that couldn’t apply online for things like “overweight permits”. When you think of the far-reaching effects of an attack like this, the impacts can cause more than just productivity losses. There is the real potential for a loss of public trust in the organization that suffered the attack.
Telling employees to “be more careful” is not helpful when they have productivity goals
Employees often have the best of intentions when they want to download software from the internet. Giving them the benefit of the doutbt, they might think it will make them more productive. But if they don’t understand the risks of installing unauthorized software, the business is at risk of being put completely out of commission for days or weeks. Ransomware can not only lock up a computer by encrypting all of the data on it, but it can spread rapidly to all computers, servers and file storage systems connected to the same network.
If employees haven’t been properly engaged, is it really their fault?
Of course, it’s easy to point the finger at employees who didn’t follow a published security policy, as the Louisiana Cybersecurity Commissioner did by saying, “Somebody didn’t play by that book, and if it was up to me, I’d fire that person.”
The problem with taking this position is that employees are often trying to work with conflicting priorities, to be productive and at the same time, work safely with sensitive information and systems. If the organization doesn’t have an effective cybersecurity awareness program in place, then employees are often ill-equipped to remember the rules, or even to consult the procedures, in risky situations.
That’s not really their fault. It’s the fault of management who has not adequately prepared the employees to handle the risks they face on a daily basis, and make good decisions in the face of conflicting priorities.
A reference article with more info on this incident can be found here.