FALL 2017 | CompTIAWorld 37 The State Story Ransomware is a crime of extortion, and the more valuable your data, the more you are at risk. According to the FBI, organizations such as hospitals, school districts, and state and local government agencies are often targets of ransomware attacks. But, surprisingly, at the state level, government institutions sometimes go unprotected. Srini Subramanian, principal at Deloitte & Touche LLP, a Premier Member active in CompTIA’s public sector programs, said states allocate a very small percentage of their tech budgets to cybersecurity. One reason for the shortfall of funds is that communicating cybersecurity risks can be a unique challenge. “I think with respect to cyber-risk being such a new discipline, there is a lot of information that is difficult for executives to comprehend,” Subramanian said. “For instance, telling them ‘We block millions of attacks every day using a firewall.’ The executives say, ‘Well it looks like we’re in pretty good shape, right?’ Well, that may be accurate data but that doesn’t paint the complete picture of what is going on in a network infrastructure or environment.” But things are also beginning to look up – or more secure at least. States have started to appreciate the importance of having a comprehensive cybersecurity strategy. One particularly instructive way Deloitte has been facilitating this shift is through launching, implementing and managing solutions that bridge the communication gap. For instance, in some cases Deloitte puts C-suites through simulated data-loss emergencies. Such war games do more than just tell high-level state government officials about the cost and impact of data breaches and the proper response to them – they show them. The Healthcare Story A ransomware attack in April against hospital and ambulatory electronic health records (EHR) vendor Greenway Health affected 400 client organizations using the vendor’s cloud-hosted platform. While half of the affected clients had their EHR services restored within a few weeks, the rest had to revert to manual processes in the hope of timely restoration. Greenway Health’s breach wasn’t the first attack on this type of data and certainly will not be the last. Healthcare enterprises know that assessing risk is a critical part of the cybersecurity equation – they just need more information about what the process entails. But it has to be done the right way. Lysa Myers, security researcher with CompTIA Premier Member ESET, has seen the fallout when enterprises roll out security solutions without first assessing the real operational needs and functioning of a business. Not only can it be ineffective, but it can be an inconvenience, which can create greater vulnerabilities as employees circumvent solutions and policies to get their work done. “If you make it so that security is more seamless in their day, then they’re not going to go through weird gyrations to get what they need to get done,” said Myers, also a member of CompTIA’s IT Security Community. In her own speaking engagements, educating representatives of smaller institutions in areas like healthcare and education, she sees the same mindsets that permeate both the general SMB landscapes and state government. “Businesses don’t fully realize that, even though they’re less visible than big multinational enterprises, the records on their Ransomware is a crime of extortion, and the more valuable your data, the more you are at risk.