WannaCry was a wake-up call. Petya is a wake-up call. Last I checked, wake-up calls were meant to bring about change.
After WannaCry, we saw a massive surge in patching around the globe, not to mention a 22-year-old “accidental hero” in the U.K. who helped halt the malicious software. It’s proof that beating the drum continuously to public and corporate institutions about serious cyber defense tactics doesn’t seem to do the trick, and once again we will see a tangible drop in cybersecurity activity until the next big attack. It will only keep getting worse.
The question is quite simple—why aren’t organizations doing more about this? We witness the answer every day: Most organizational leaders refuse to support their internal teams when asked for procedural change or proper funding for cybersecurity defenses—which cuts their bottom line.
In practice, it’s quite easy to see the lack of emphasis given to cybersecurity when it warrants only 3-6 percent of IT budgets, and oftentimes that number includes risk management. Moreover, our community just now is scratching the surface of providing tangible cybersecurity reports to the organizational board level, meaning its level of import is still not equal to that of numerous other reporting requirements.
There are strict physical safety measures imposed on numerous industries, like seat belts and airbags, yet we need look only at the current U.S. administration and its public stance on cybersecurity to see an instance of unbelievably insufficient governmental policy.
The entire intelligence community and the cybersecurity community that supports the government knows and has known the Russians have sophisticated teams and methodologies that have been used to attack us for years. This administration seems to have turned a blind eye on our national defense given their consistent refusal to admit Russia’s complicity.
This makes a bold statement that the White House has no intention of preventing, at a policy level, cyber attacks. There are still gaping holes in the federal CISO and White House CISO positions and we haven’t received any movement in policies or executive orders of any substance.
This article originally appeared on ThirdCertainty.com and was written by Paul Inella.