3

Affected by the 'ransomware' attack?

Steve Bridger

| 7182 Posts

Community Manager

15 May, 2017 12:21

Hoping that Community members have escaped unscathed from last Friday's global 'ransomware' attack. I know we have a lot of members who work within the NHS.

Any HR people collaborating with their IT depts on this one?

The first thought on many minds as the working week begins?

How to defend your computer against the ransomware attack

  • Elizabeth

    | 1862 Posts

    Chartered Fellow

    15 May, 2017 16:54

    Hi Steve

    Our IT Director used to report to me (lucky me) and I'm still in the contacts of some of our IT suppliers so I received a couple of e-mails this morning with advice on ransomeware attacks. One was saying the sort of things you've probably read or heard elsewhere about e.g. applying security patches regularly etc to ward off attacks, but the other one said the best thing to do if an event happened would be to switch everything off and yell for help from a specialist - not reassuring!
    Anyway, my only collaboration has been to suggest to our IT Director that if, as I believe, we believe we have good defenses in place it would be good internal PR to share that information and/or brief them on what to do if we are targetted.

    If there's anything HR people can do to help on this issue, I would be very glad to hear about it.

    I saw an article in an HR journal this morning that said that the attack on the NHS was shut down by one cyber-hero who was actually on holiday at the time. A colleague said "It is not a job to him, more a passion that he happens to get paid for". Doesn't that sum up the importance of human factors: getting recruitment right, giving people scope to use their initiative and recognising them when their passion translates into extraordinary achievement.
  • In reply to Elizabeth:

    Steve, Elizabeth,

    I agree that it's often the case that people with a passion for doing something sometimes get to help others.  It's also a shame that typically those working in IT rarely get praise when things go well, but are often the first to be blamed when something goes wrong.  Other users of this forum may remember this story from April and the follow-up from the recent attacks;

    http://www.dailymail.co.uk/news/article-4183308/How-beat-scammers.html

    In the case of this latest incident it could be argued that what went wrong was a momentary lapse in judgement, or a failure to adhere to the organisation's cyber security procedures.  Arguably, unless anyone has some direct knowledge or who, what and why then its largely immaterial.  Many could be guilty of taking the easy option instead of the correct option.  What I believe should be remembered is that in the same way as there are specialists for HR and specialists for IT, doing the right thing is everyone's responsibility regardless of the discipline.

  • Angela

    | 11 Posts

    Chartered Member

    22 Jun, 2017 11:31

    In reply to Daniel Wilson:

    In response to Steve’s initial query, I think very often the end user feels they are blamed when they click on that nefarious link. I think we need to change our thinking here. Malware is written to be stealthy, the user doesn’t even know that the link they clicked on last week is now lurking quietly on their machine, gathering information, spreading through the network, waiting for pre-programmed launch day.

    An attack happens, and the employee may be too scared to confess to their manager, and perhaps they pay the ransom to keep their personal reputation intact. I think IT can only implement with the tools they are given, and these are usually limited to the funds they are spared at the start of the year. At the end of the day, employees often use social media while at work, there will always be that innocent link. A user cannot be expected to know what is behind the seemingly innocent link.

    I believe these things will be helpful:

    1. I think HR needs to have a policy of good IT hygiene, use cryptic passwords, keep patches up to date, consider how you deal with bring-your-own-devices (BYOD), and for the policy to include ‘check with IT’ before plugging your home laptop in.
    2. I think the policy should include that there will be no retaliation (for employee or IT) for confessing that the employee has been breached. HR and Recruitment are prime targets for a breach by the way, since they are viewing incoming CVs all the time. That CV could easily have hidden coding when you open the document, and you’d not know for days/weeks/months that you have been breached.
    3. The CISO/CEO need to be held accountable for committing sufficient funds to buy a decent enterprise security product, that pro-actively works, since the days of the old anti-virus products are now known not to protect, unless they know what to protect from. New malware is launched every day, and it’s written in a way that it evolves for every person it spreads to – so detection is very unlikely.

    I have momentary lapses all the time, but there are very modern technologies who diminish the risk (or effect of breach) very substantially for the enterprise.
More Content