written by Chad F. Walter
I was recently asked what my biggest cybersecurity concern was for 2015. Great question, and it didn’t take me long to respond – “The Sony breach”.
Now, I’m not all that concerned with someone dictating the release of another mediocre Hollywood movie. What really troubles me is when the next hijack, hostage, extortion (call it what you want, terrorist attack even) style hack hits our most critical services.
For instance, I can easily see an attack of this nature focused on seriously disrupting critical healthcare services. Imagine in today’s environment of IoT (Internet of Things) and IT dependency, a Sony style hack directed at a major hospital. I fully trust that our doctors, nurses and medical providers would adapt to providing services without IT, but at what cost? Basically, healthcare would instantly be thrown back to the 1970’s. Without having access to EMR (Electronic Medical Records) or PHI (Patient Health Information), the potential for mistakes could be catastrophic. The result of an attack of this nature would make the recent Sony hack seem like child’s play.
Now, the obvious reaction to my concern would be to advocate for a move away from the “internet standard” we’ve come to rely on. That would be ridiculous for many reasons ~ not the least of which includes having immediate access to the best information (and tools) when you need it most. What I am advocating is that it’s time we recognize what we have in relation to the current risk landscape and then protect our assets accordingly.
I’m also advocating that our lawmakers build legislation from the risk foundation up. Let’s face it, breach notification legislation is great, but it’s designed to address the aftermath of a breach, and not to actually protect citizens from the initial attack. I get the premise; it’s really trickle down legislation. If the resulting fines and impact are big enough on the back-end, then organizations will protect the front-end.
We saw the breaches in 2014, how’s that working out?
Is it enough to stop the next big attack on critical infrastructure?
So, what are YOU most concerned with? If your organization suffered a Sony style attack, how would you survive? How do you think the customers you serve would react?