The Colonial Pipeline Hack Could Improve Security

By now, most of us have heard about the hack of the Colonial pipeline – the ransomware attack that affected 17 states and the District of Columbia last week.  As IT professionals, we all share the same worries and concerns.  Could this have been us?  How vulnerable are we?  Do we need to do anything to improve our defenses?  As frightening as this hack is, there is a real opportunity to look at the “silver lining” and take appropriate action to better protect our organizations.

I work as a healthcare executive.  Every year, hundreds of healthcare organizations around the country are compromised by bad actors.  There is no more “security by obscurity.”  These hacks have been suffered by very large and very small organizations alike.  We are all at risk; no matter our size.  When breaches are reported in the news, IT leaders are likely to be given an opportunity to discuss our information security program with boards of directors and senior management teams.  Such has been my opportunity each time there has been a news report of a major breach.  The most senior leadership wants to know how vulnerable our organization is to a similar breach.  The conversation is thorough and serious and the questions direct.

This broad visibility is an opportunity for us, as leaders, to educate, explain, and improve our information security plan.  That’s the silver lining!  As Winston Churchill famously said (while working to form the United Nations after WWII,) “Never let a good crisis go to waste.”

The Colonial hack is a call to action.  It’s a great time to do an exhaustive review of our information security plan.

The Colonial hack is a call to action.  It’s a great time to do an exhaustive review of our information security plan.  Our security plan needs to include technical security and – perhaps most importantly – our employee training and testing.  It needs to include a response plan stored offline.  The plan should also include services and technologies that we contract from third parties, including medical devices.  We need to verify their readiness, just like the technology and personnel that work in our organizations.  We all know that the majority of successful attacks are behavioral.  Attackers deceive employees into doing something that exposes the organization.

I recommend we all take this opportunity – and it is an opportunity – to examine our readiness and make improvements.  That’s everything from process, to networks, data stores, applications, policies and procedures, training, and testing.

If you need some help, anything from a review of your current plan to the creation and implementation of a new one, it’s what we do at Brightwork Consulting. We’ve worked with large and small healthcare organizations (and everything in between) to improve their security and solve issues before they become problems. We know the industry. We know the vendors. We know IT security. Now is the time to act – let us help you before you become a victim.

by Bruce Elkington, Senior Consultant