For companies without any real IT organization, the only real solution is to find an IT contractor with a good track record. Fortunately these are common in most cities. While it costs money to hire a security contractor, it’ll cost a lot less than it will to recover your systems after a malware attack. This really boils down to doing a cost analysis of what it will cost to hire help, versus what it will cost to go out of business, perhaps forever.
Dealing with shadow IT is thornier. There, the IT organization is weak, perhaps intentionally so, and the employees have found ways to do it themselves. It takes a while to overcome the cultural impact of such a situation because some of the employees won’t want to surrender their roles. But if the company is going survive after a malware attack, it’s necessary. Perhaps the best way to overcome cultural barriers is by including the staff that’s doing the shadow IT into the process of creating a real solution.
Then we’re back to the IT department and the excuses, whether they come from the IT managers or a higher level. This may be the time to present the need for improvement to upper management and to do so using real examples from WannaCry and Petya.
It’s fairly easy to quantify the cost of such attacks as they would be applied to your company, and to explain how your security, as good as your management thinks it is, isn’t adequate without proper patch management.
If your C-level executives are so focused on the bottom line at the end of the quarter that they can’t see the risk, then it may be possible to point out that they’re willing to pay for locks on the doors and fire suppression in the computer room—unless of course they’re skimping on those too. Then there are really only two possible options, first to find a way to let your investors know the risk and the second is to reduce the risk to you by leaving to find a job at a company willing to support adequate levels of cyber-security.
And that brings us to the last option, which is to remember that skilled and experienced IT staff jobs are going unfilled in vast numbers. Moving to a company that’s not run by idiots may be your best option. But in either case, the time for excuses has ended and it’s now time to actually find a way to fix your enterprise IT vulnerabilities.