What’s worse than getting hit by ransomware? Finding out your IT Director tried to help you avoid it months ago.
Remember when Lake City in Florida recently had to shell out nearly 500,000 to hackers so they could get their data back after being hit by ransomware? It seems their trouble is only just beginning.
In a new lawsuit, their former IT Director Brian A. Hawkins alleges that he made the city aware of their IT vulnerabilities months before the attack. Given that he was fired over the ransomware incident, he’s hoping to point the blame back at those who did nothing when he initially warned them.
According to Hawkins, he suggested that the city should invest in a cloud backup service, which would have protected them in the event of a ransomware attack. Apparently, they decided it wasn’t worth the money, and opted not to heed his suggestion.
Fast forward a few months to the attack, and in the aftermath, Hawkins receives a letter stating the following:
“Recent events, including a cyberattack on the City of Lake City and the inability to quickly recover from this attack, including the failure to have in place a reliable and effective backup system,” it said, “have demonstrated significant weaknesses with the city’s I.T. department under your leadership.”
Hawkins has since filed a public records request for his hard drive from work and emails that would prove he made the recommendations, but it will be sometime before a ruling is made. No matter which party wins the lawsuit, it will set an interesting precedent in an important discussion…
In response to Hawkin’s request for his hard drive and emails, Lake City stated it would charge about $7000 to review and redact the necessary records. Does this mean IT directors, managers and others in positions of IT leaders will need to keep their own records going forward?
It begs a question of trust – if an IT director, CIO, or CISO makes a suggestion to help protect the IT systems, and that suggestion isn’t followed, how can they know they’ll be absolved of responsibility if the worst were to happen?
It may be prudent for IT teams to implement a more formal process of review and remediation for IT upgrades, especially when they concern cybersecurity. Requiring the signature and expressed understanding of the parties they report to may protect them in situations like the one Hawkins has found himself in.
C-Level & Board Responsibility
If the lawsuit finds in favor of Hawkins, those leading similar organizations and companies will have to reconsider how they consider suggestions from their IT teams.
If you were to receive a suggestion about an upgrade from your IT team today, what’s your obligation to implement it? If failing to do so leads to a major cybersecurity incident next month, how liable are you?
This is important to consider because it could significantly affect your IT budgeting. If you’re compelled to pay for every service and product your IT director suggests because you’re afraid of being vulnerable to ransomware, then your IT will be much more expensive than usual.
Is there a way for you to consider what your IT director tells you without having to take their word for it, and overspend on it?
Think about it for a second – since you were a kid in elementary school, you’ve been taught how important it is to double-check the answers you’re given. Whether it means double-checking the answer you get in long division or more extensive critical thinking, it’s important to double-check what you’re being told.
It’s not just a priority in school either. How about when you get a diagnosis from a doctor? It’s common practice to consult a second physician to double-check that what you’re being told is correct, and that what’s being done about it is the right course of action.
Just as you would with a doctor or a mechanic, you should be sure to have your IT services and onsite hardware double checked on a regular basis. In doing so, you can verify the following aspects of your IT infrastructure:
Like this article? Check out the following blogs to learn more: