Hamburger Hamburger Hamburger

Thwarting Ransomware Requires a Fresh Look at Security

Samta Bansal

Chris Jacquet

Vice President and Chief Information Security Officer at Hitachi Vantara.

Jacquet is responsible for enterprise information security, establishing and maintaining a corporate-wide information security program to protect Hitachi Vantara’s information assets. He and his team identify, evaluate and report on information security risks to meet compliance and regulatory requirements.

Jacquet also leads enterprise security programs including security operations, incident response, vulnerability management, identity management, network security, disaster recovery and risk policies. He supports client services for Hitachi Vantara’s Managed Services offering, including governance and compliance. In September 2017, Jacquet’s role expanded to include the security governance of Hitachi Vantara’s products and services.

In July 2019, Jacquet was appointed Information Security Expert (ISE) for the Americas region for Hitachi Ltd. In this role, he assesses and advises Hitachi companies throughout the region on cybersecurity and provides direction back to Hitachi Ltd CISO function in Japan.

Previously, Jacquet was senior director of cloud security and compliance, and acting CISO for cloud infrastructure at Marketo where he built and led cross-functional teams to secure their software products. Before this, his roles included senior director of global IT Security, compliance, risk management and governance at Symantec, and multiple leadership roles at Hewlett-Packard during his 26-year tenure there.

Jacquet holds a marketing certificate from UC Berkeley and an engineering degree in computer science from Institut National des Sciences Appliqués (Lyon, France). He is fluent in French and conversational in German.

He holds a private pilot’s certificate and is an active member pilot of Angel Flight West, a volunteer organization that arranges free air travel for children and adults who have serious medical conditions.

Read Bio +

Ransomware has become a familiar front page news topic thanks to recent high-profile attacks against a major meat producer and an East Coast operator of a critical oil pipeline. Also, consider the attack on a provider of software tools to IT outsourcing shops that let hackers paralyze hundreds of businesses on all five continents.

No doubt the ransomware threat is serious, and now Washington is mobilizing to wipe out a scourge it formerly treated only as a criminal nuisance. But the outcome of this battle will rest less on how we respond to ransomware, per se, and more on how we approach cybersecurity broadly. Unfortunately, as the great comic strip character, Pogo, put it long ago, “We have met the enemy, and he is us.”

Promoting best practices to detect and respond to ransomware is key, but it’s also important that organizations focus on stopping poor security practices to prevent it. And for reasons I’ll soon explain, that’s where we’re still falling short — by a wide margin.

Until recently, ransomware wasn’t viewed as a national concern, largely because the attacks usually weren’t large enough. The Biden administration has a robust appreciation for the risks posed by ransomware and cybersecurity, more generally. But its eagerness to effect change may not be enough to stir the widespread inertia in the private sector.

Security Discipline Missing

A lot of companies, in particular small and medium-sized organizations, still don’t have a chief information security officer (CISO) or even teams dedicated to security. I’ve come across examples where the person sitting at the front desk is also charged with the responsibility to change the Wi-Fi password once a month. That may be an extreme, but it speaks to the truth on the ground where the situation is often quite bad.

Meanwhile, the sudden obsession about ransomware distracts us from recognizing that we’re talking about a style of attack, just one threat among others. Ransomware just so happens to be very visible and so it gets talked about a lot in the news nowadays. Still, let’s avoid assuming that it’s the only security worry.

We need to muster a broader response that focuses on adopting security as a discipline and build the foundation for a solid security program (Prevent, Detect, Respond). That’s going to drive a lot more change. Unfortunately, it’s also a lot harder and tedious to put into practice.

A lot of companies either haven’t adopted that discipline or have made do with shortcuts, folding security into some other function inside IT. That shortsighted approach not only fails to treat cybersecurity seriously, but it also mixes contradicting goals. The person responsible for the corporate network, whose goal is reliability, speed and availability, isn’t necessarily going to understand what a ransomware or phishing attack involves. How to prevent or mitigate a breach may not be evident, especially when preventative measures like patching may get in the way of their stated goals.

By this point, there can’t be any more debate over the argument that security should be treated as a separate discipline, one that that’s adequately funded and staffed like any other important job inside the organization. Any organization can find itself under attack tomorrow, and you can’t have five guys doing security for a company with thousands of people.

Fixing the Problem

That failure to treat cybersecurity as a discipline leaves companies vulnerable to making otherwise avoidable mistakes. I commonly see organizations using products and services from suppliers where security was given short shrift during the development process. The only way companies can mitigate that risk is by building the capability to thoroughly vet third parties to make sure that the security-worthiness of any products meets their standards.

And that calls for a more sophisticated approach, which goes back to how we treat suppliers and customers within the context of overall cybersecurity.

  • Policy is always the foundation of any security program, so refresh yours to make sure it’s sufficiently robust to meet the gathering threats and evolve with new threats and technologies.
  • Enhance, or, in some cases, start end user awareness programs from scratch. Focus on cybersecurity and train employees and executives to recognize the phishing ruses that attackers use to infect networks with ransomware and other malware. Ransomware attacks often are related to awareness —and lack thereof — because they always start with somebody clicking on a booby-trapped email link.
  • Establish a vulnerability assessment program. Identify your devices to find and fix or mitigate any flaws before attackers can locate them.
  • Shine the spotlight on third-party security. Elevate supplier security and make it a regular part of the assessment process. Otherwise, even the best security program is vulnerable to attack. This isn’t hyperbole. Once you grant network access to an outside firm, even for a short-term contract, everything’s on the line. If a consultant accesses your network using an insecure device, you’re in trouble.

Notice that I’m not calling for specific technical fixes like firewall configurations to solve specific, tactical problems. Let’s get over that flavor of the month approach. It’s time to get strategic and start building solid pillars that will support a lasting security foundation.

Otherwise, we’re going to be reading about more of these mega-security nightmares, whether caused by ransomware or something else that comes down the pike.

Chris Jacquet is Vice President and Chief Information Security Officer at Hitachi Vantara.

Check out more great stories on Insights.

Related Articles

{ "FirstName": "First Name", "LastName": "Last Name", "Email": "Business Email", "Title": "Job Title", "Company": "Company Name", "Address": "Address", "City": "City", "State":"State", "Country":"Country", "Phone": "Business Telephone", "LeadCommentsExtended": "Additional Information(optional)", "LblCustomField1": "What solution area are you wanting to discuss?", "ApplicationModern": "Application Modernization", "InfrastructureModern": "Infrastructure Modernization", "Other": "Other", "DataModern": "Data Modernization", "GlobalOption": "If you select 'Yes' below, you consent to receive commercial communications by email in relation to Hitachi Vantara's products and services.", "GlobalOptionYes": "Yes", "GlobalOptionNo": "No", "Submit": "Submit", "EmailError": "Must be valid email.", "RequiredFieldError": "This field is required." }