Media Prima ransom-ed, Who should be responsible to stakeholders?
Sources close to the matter say that the recent ransomware attack at Media Prima is contained. The nature of ransomware attacks is to encrypt files critical to business and this results in business operations coming to a full stop. If a business wants to avoid financial and reputation losses from this, they have to pay a ransom to be able to use their data again.
But, Media Prima has declared they would not be paying the 1,000 bitcoins demanded by the perpetrators.
This a step that is recommended by most industry practitioners, but could it also be that Media Prima’s critical business data is unaffected?
Sources confirm only Windows machines have been impacted, whilst Mac machines, a privilege usually reserved for top management, are in the clear. Could it be that only staff employees are affected by the ransomware, whilst top management’s data have escaped unscathed?
An independent security assessment conducted regularly would have mitigated the chances of incidents like this occurring. A source close to the matter said, the need for independent IT assessment had been highlighted various times.
Even IT security industry players have highlighted the risk of not performing regular security assessments, and it is a industry best practice to perform assessments. And yet…
So, who should be responsible for this attack? Common sense would say the IT Head and Head of Risk should be held accountable. But they are answerable to the Board of Directors, and as a public-listed entity, Media Prima’s Board is answerable to shareholders.
So, shouldn’t this Board of Directors be made accountable as well?
This isn’t the only ransomware attack in Malaysia and it won’t be the last.
Who knows how many countless more has been kept away from the news, because of lack of regulations that make it mandatory for businesses to report and inform when they have been breached.
And given how prevalent cyberattacks overall have become, a burning question arises.
The preventive steps highlighted above could have gone a long way to avoid the ransomware attack in Media Prima’s case – regular security assessments, using a different operating system, education and awareness about safe use of the Internet and many more – so why is top management in a majority of businesses still not making cybersecurity a top business agenda, and still not enabling their organisations top down to better defend against cyberattacks?