You executives and managers who are in my age group (that is, you didn’t grow up with mobile devices and computers) listen up. According to several studies, you pose a higher security risk to your organization than the up-and-comers you manage.

According to a new survey of 2,000 workers aged 16 to 55+ in the U.S. and U.K., OneLogin found that senior managers (42 percent) were twice as likely to share a work device with someone outside the organization than their junior counterparts (20 percent), 19 percent of senior managers said they share confidential passwords with a family member compared to 7 percent of junior employees, and senior management reported working from public Wi-Fi networks at double the rate of their junior counterparts (30 percent vs. 15 percent).

There are some logical explanations for this, none of which are comforting or justified. According to OneLogin, some of the explanation is that those of us who did not grow up with technology find it difficult to learn how to use and we are intimidated by it. I have no sympathy for those who refuse to try to learn or try to get around security measures because they are intimidated. It’s not that hard and is vital to the security of your organization.

The second reason is that executives are trying to perform at a high level, and think security measures, like multi-factor authentication or logging into a VPN take too much time. That reason is also rubbish. The entire purpose of implementing security measures is to protect the user and the organization. Trying to figure out a work-around takes more time and resources than just implementing sound security practices. Executives and managers should be thinking about the consequences of a security incident caused by them first and foremost.

Here are some tips for organizations to address this issue:

  • Don’t wait for executives and managers to admit they don’t understand how to implement or use technology. Give them one-on-one training/education so you are sure they are using the security measures and are comfortable with them
  • Provide executives and managers with pointed educational sessions on data security so they are aware of the risks they pose to the organization if they do not adhere to data security practices
  • Be strong when executives and managers ask for work arounds. Instead of allowing the work around, take the time to show them how to use the security measures one-on-one and counsel them on why the measures are so important in layman’s terms
  • Make adherence to security measures part of executives’ and managers’ (for that matter, ALL employees’) performance evaluation. If they don’t follow security measures, that should be documented and considered in compensation and bonus decisions. This will certainly get their attention.
  • Don’t let them get away with it. If they cause an incident, there should be consequences.

As I always say, data security is a team sport. If the captains of our teams aren’t engaged, the plays won’t work and organizations will lose the game.

The GEO Group, Inc. (GEO), a publicly held company located in Boca Raton Florida, announced on November 3, 2020, that it is beginning to notify individuals following a ransomware attack that “impacted a limited amount of personally identifiable information and protected health information for some inmates and residents contained on certain servers for a small number of facilities including the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and a now close facility in California. The incident also impacted two corporate servers with employee data.”

According to the statement on its website, the GEO Group is “not aware of any fraud or misuse of information as result of this incident.”

The ransomware attack was discovered by GEO on August 19, 2020. It thereafter launched an investigation with cybersecurity firms and law enforcement. According to the website notice, “the company recovered its critical operating data and, based on its assessment and on the information currently known and obtained through the investigation, the Company does not believe the incident will have a material impact on its business, operations or financial results.”

GEO is a publicly traded organization that “is a fully integrated equity real estate investment trust specializing in the design, financing, development and operation of secure facilities, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom. GEO is a leading provider of enhanced in-custody rehabilitation, post-release support, electronic monitoring, and community-based programs.” It owns or manages 123 facilities totaling approximately 93,000 beds and employing approximately 23,000 professionals. Its website states that its “diversified services platform provides unique capabilities for the delivery of educational and vocational programs, cognitive behavioral and substance abuse treatment, and faith based services across the entire corrections spectrum.”

Based upon the statement, it appears that GEO is notifying affected inmates, residents and employees of the incident.

The UK National Cyber Security Centre (NCSC) issued an alert on October 16, 2020, to raise awareness “of a new remote code execution vulnerability (CVE – 2020 – 16952)”, which affects Microsoft’s SharePoint product. According to the alert, “successful exploitation of this vulnerability would allow an attacker to run arbitrary code and to carry out security actions in the context of the local administrator on affected installations of SharePoint server.”

The NCSC recommends applying security updates promptly, “but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities…against UK organisations…NCSC is issuing this alert to ensure that system owners are aware of this vulnerability and to ensure remediation actions are taken.”

According to the alert, the vulnerability affects:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint server 2019

It is important to note that SharePoint online, which is part of Office 365 is not affected by the vulnerability.

The NCSC “strongly advises that organisations refer to the Microsoft guidance…and ensure the necessary updates are installed in affected SharePoint products. It is also important to keep informed of any possible updated future updates to the guidance…”

Keyboard to the internet

Health care entities continue to face a barrage of attacks from cyber criminals, and it is widely reported that the health care industry is getting hit more frequently than any other industry. Ransomware is the name of the game for these attackers in all industries, including health care.

Unfortunately, what is being touted as one of the largest, if not the largest ransomware attacks against a health care entity in 2020, occurred last week against Universal Health Services (UHS), a Fortune 500 company with more than 400 facilities in the U.S. and the United Kingdom. It is believed that the ransomware attack involved the Ryuk strain, which is linked to Russian cybercriminals.

Following the attack, which occurred over a weekend, UHS reportedly took all of its networks down and had to re-route some patients to other facilities. Since not all of UHS’s computers were able to be used, providers were forced to resort to paper. A ransomware attack such as this is extremely disruptive to patient care. Ransomware attacks are designed to be disruptive, anda disruption to to life-or-death patient care is especially concerning.

UHS has publicly stated that no patient or employee data were compromised in the attack and it is using its contingent operations plan. This response demonstrates the importance of having a contingent operations plan in place and testing it to make sure it works.