Ransomware Series: Demonstrating Truthful Documentation and Lessons Learned

Demonstrating That Your Documentation is Truthful and Faithful

Data governance assists tremendously in documenting and having the right policies, standards, guidelines, and procedures. This enables anybody in the organization, as well as insurance companies and other ruling bodies, to see the depth of documentation and ensure there is protection over their data.

Over the last two years, insurance companies have taken a huge hit on ransomware payments. Two or three years ago you could get coverage extremely easily, but now it’s required to go through an entire underwriting audit. The more coverage you need, the more extensive the underwriting will be. Insurance companies have curated a list of procedures that organizations are required to perform, and if they don’t, then they will not be given ransomware or breach coverage. The top of this list is multi-factor identification on sensitive accounts within the environment. They’re looking at patch management and password policies.

Data governance needs to have documentation for its own purposes, so having it for the purpose of insurance and claims is something that is easy to do. Sometimes this task is given to cyber security professionals, and they are not necessarily the best equipped to know whether the policies are indeed being enforced at the functional activity operational and at the table level of the data. Through the stewards, data governance then has an embedded ability to know whether this is truly taking place at the ground.

Ransomware Interview: Part 5 & 6

Lessons Learned

Attackers are involving in their practices. Cybercrime is warfare by human beings that are actively engaging and encountering the steps we take to try to protect valuable data. When we look at the supply chain of attacks from the last couple years, we see that they are not trying to just get one person or one organization, they’re trying to do this at scale.

In security, organizations must be right 100% of the time. These cybercrime companies only need one lucky shot to breach. There is no secure fix or point of nirvana, cybercrime is something we are always going to be involved in. Organizations need to continuously evolve to protect their data.

There are a few principles that we need to accept here:

• Security is hard. There is no easy way to take on this challenge. It requires a commitment, and it is expensive.
• You can learn a lot by looking back at strategy. There is a need for strategic leadership in cybersecurity.

From an internal standpoint, we have an obligation as companies to limit the damage that can be done or the misuse of individual’s data. Resultant’s Govern by Design methodology takes a very holistic approach. A general in the battlefield must be very aware of all the elements, and by virtue of being completely cognizant of the environment as well as knowing the strength of the enemy and preparing accordingly in a holistic fashion. There are enough lessons learned worldwide from an array of companies that we can lean away from and not follow. The bottom-line approach is to be very clever and work it backwards.