by Jay Chaudhry, CEO and Co-Founder of Zscaler
If you’re having a bad day, know that things could always be worse: This message could have greeted you when you turned on your computer.
One fateful morning last November, that ransom note showed up on the screens of employees of German plastics manufacturer Kraus Maffei. In March of this year, Arizona Beverages workers received a similar threat. Both companies had been infected with particularly virulent strains of iEncrypt malware, and the attacks crippled systems at both companies for days.
The iEncrypt story is nightmarish: Two successful companies are brought to their knees as malware replicates inside their respective corporate networks. No company deserves what Kraus Maffei and Arizona Beverages went through, and I won’t speculate on what contributed to each company’s vulnerability. But we can learn from these attacks.
In cybersecurity industry parlance, never let a breach go to waste.
Whatever You Do, Don’t Sit Still
Organizational challenges such as institutional ennui or even budget cuts can lead a company to retain outdated, insecure systems, exposing the company to a targeted attack. Especially in light of recent high-profile ransomware attacks, IT leaders must ensure they can protect digital assets and minimize damage if breached. But, too often, companies are slow to keep security standards current to respond to the newest malware threats. Similarly, recovering from an intrusion is difficult when backup systems are untested or improperly set up (imagine trying to put out a fire with a faulty extinguisher).
When it comes to cybersecurity, complacency is toxic. An ingrained culture of “we’ve always done it this way” can obscure threats, mask vulnerabilities and reinforce an aversion to change. The "we’ve always done it this way” disease (call it WADITWay) can manifest itself in a reluctance to let go of old processes, solutions and technologies. WADITWay bias fosters groupthink, which at best can lead an enterprise down the wrong path and at worst can lead to disaster. WADITWay impedes good decision-making, putting enterprise assets, users and resources at unnecessary risk.
Recognizing WADITWay bias is the first step to combating it. It takes many forms (all characterized by an unwillingness to let go of something):
As malware victims will attest, hindsight is (painfully) 20/20. Here’s what IT leaders can do now to attack complacency:
Some will say believing we can block every attack is naïve - it’s not. We must put up a better fight against the bad actors who threaten us. That starts with eradicating WADITWay disease, and it ends with an enterprise cybersecurity culture that acknowledges “good enough” is never good enough.