I have been working in the cybersecurity space for a long time; since well before it had a moniker. From my perspective, it seems as though the number of data breaches and ransomware attacks, particularly in the healthcare space, have been increasing. It’s also true that the breaches seem to have something in common that isn’t much discussed outside of security circles. Organizations that have been breached seem to have certain characteristics in common which can be generally described as arrogance.
I began noticing a pattern long, long ago where certain large organizations displayed a casual disdain for the well-being of their customers and the ecosystems in which they operate. In the early years it was IBM who were later dethroned by Microsoft. They would repeatedly and consistently make choices designed to maximize short-term gain at the expense of the overall health of the information technology industry and the connected industries that used IT services. As cybersecurity incidents became increasingly common (or increasingly publicly reported), it became apparent that there was a direct correlation between the arrogance large organizations displayed toward their markets and their risk for damaging data breaches.
Well, why not? If you don’t care about your customers (or anyone else in your sphere) in the first place, why would you devote any resources to keeping them safe?
I wondered, though, why they so seldom get called out for it? Only very recently has anyone in the US Federal Government, for example, called out Microsoft for being a national security threat. I think other entities: governments, the press, IT organizations, even security researchers all fear that “it could happen to me” — because it could. I did all the IT work for my little medical practice, and put huge amounts of resources into keeping things private and secure, but I would never have bragged about our security publicly or dissed our competition for their laxity.
It should be publicly said that, while anybody can be the victim of cyber-criminals, in the vast, vast, vast majority of cases organizations with good IT hygiene do not get breached or ransomed or leak sensitive data. While there are certainly exceptions, the big breaches (Equifax, Facebook/Meta, Change Healthcare, Microsoft Exchange, Ticketmaster, CDK, AT&T, Synnovis, Oracle, Boeing, Ring, Colonial Pipeline…) have all been directly linked to major, obvious, glaring gaps in good IT defense that could have and should have been addressed long before the breaches occurred.
—2p