First, some set-up:

In a free society, three forces offset each other to maintain a balance: Government, business, and community.*

Government and business are self-defining. Community encompasses everything from religious and charitable organizations, to organizations promoting social justice such as the NAACP and National LQBTQ Task Force, to those trying to prevent social justice – the Proud Boys and their ilk qualify – to, at the opposite extreme of size and organization, bowling leagues and backyard barbecues.

Depending on how you count, the modern labor movement began during the industrial age with the formation of the American Federation of Labor in 1886, adding labor as a fourth balancer by provided protections and influence, both contractual and political, to workers whose roles up until then had made them, from management’s perspective, fungible, and therefor powerless.

To wrap up this stage-setting: Not all that long ago, during the early stages of the information age (also depending how you count) the workforce could be subdivided into people who wanted jobs and those who wanted careers.

The plan for those who wanted jobs was to exchange time and effort for money. As an incidental benefit it provided a community for employees who wanted to socialize.

The plan for those who wanted careers, whether as professionals or as managers, was to gain a sense of identity: from their affiliation with their employer; from the role they played as part of that affiliation; and on top of that from pride of accomplishment in exchange for their time and effort. Providing a community – the teams career-minded employees worked in – was arguably more of a benefit for these employees than for those who only wanted jobs.

When the business was doing well, leaders and managers generally preferred career-minded individuals, because their career-mindedness gave their manager more tools to motivate them with. During downturns, though, the fungibility of job-oriented workers made them easier to lay off, and to be re-hired if and when profitability returned.

And here we are, in the nascent digital age, where these workplace trends will, and in some places already are shifting the balance from leadership to management as vital skills for running an organization:

  • Remote employees: An increasing proportion of employee (or contractor) responsibilities can be fulfilled from anywhere.
  • One-dimensional management/employee relationships: Remoteness results in an increase in management by metrics, where employee effectiveness is gauged mostly or solely by how many work products the employee creates in a period of time, and their quality.
  • One-dimensional employee/employee relationships: Trust and alignment, the hallmarks of effective teams, is becoming optional, as work is reduced to a series of narrowly defined assignments.
  • Sense of identity from sources beyond employment: Self-definition means how people think of themselves. “I’m a lawyer,” “I’m a physician,” “I’m a programmer,” are all examples of people defining who and what they are based on what they do to make a living. My sense, and I have only anecdotal data to support it, is that other factors, driven, I think, by remoteness and its consequences, are starting to edge out job titles as sources of self-definition.
  • The diminution of “career” as a motivator: To the extent self-definition is no longer built around what someone does to make a living, management no longer has helping employees grow in their careers as a source of motivation and loyalty.

Bob’s last word: Quite a lot has been published about the importance of employee engagement in recent years (for example, here). I wonder, though, given the social forces that appear to be in play, if pursuing employee engagement might not be an example of “fighting the last war” – of engaging in strategies and tactics that made sense in the past but won’t fit the situation that’s emerging.

So if you’re in graduate school and in search of a thesis topic that’s more than just the same-old same old, I’d encourage you to try designing the optimal employer/employee relationship of the future.

Bob’s sales pitch: I’m often asked how a reader can support KJR. The answer isn’t complicated: If you need consulting assistance in line with what I write here, please don’t be shy.

And on a smaller scale there are the Three Rs: Read, recommend, and review my books.

For your convenience, here’s where you can find them.

——————————————————

* Not original, but I couldn’t track down a source.

Enterprise risk management (ERM) recognizes four responses to risk:

  • Prevent, aka Avoid: Reduce the odds of the risk turning into reality.
  • Mitigate: Reduce the damage should the risk turn into reality.
  • Insure: Share the cost of the damage should the risk turn into reality.
  • Accept, aka Hope: Do nothing, figuring the cost of prevention, mitigation, and insurance exceeds the cost of the damage should the risk turn into reality.

Which brings us back to what you ought to do about ransomware.

Last week’s KJR provided a starting point for recognizing that Accept is an unacceptable response. “Oh, dear, there’s nothing we can do except hope, and pay the ransom if we have to,” is just plain wrong.

In cop shows, kidnappers provide “proof of life” before anyone pays the ransom. There’s no such thing as proof of life following a ransomware attack; no reason to expect attackers to follow through on their restoration promises.

That leaves Prevent, Mitigate, and Insure. This week we’ll go deeper on these subjects, courtesy of my There’s No Such Thing as an IT Project co-author Dave Kaiser. Dave?

# # #

Here are some ways to prevent and mitigate an attack:

Prevent: To reduce the odds of successful ransomware penetration, create a very hard exterior defense:

  • The biggest challenge with ransomware is that most victims have no idea that they’ve been penetrated, let alone when. We’ve seen lags as long as six months between infection and discovery. If you detect it anywhere, infer it’s everywhere.
  • Remove admin rights from all PCs. This is critical, as PCs remain the #1 entry point, mostly via phishing attacks.
  • Block executable files at the firewall so users can’t install them without assistance.
  • Run an enterprise-grade PC/Server protection software system (my company uses Crowd Strike). Norton isn’t an enterprise-grade match for the newer, more sophisticated attacks.
  • Segment your network and have tight rules on what traffic can flow from PCs to your backbone and cloud servers.
  • Require multi-factor authentication for any web-facing email (including Microsoft 365), and for all system logins as well.
  • Filter all email through a filtering service. Even the best of these services can’t eliminate phishing attacks, but they do improve the odds.
  • Conduct quarterly (at least) phishing tests with your employees. Provide additional training for any employee who falls for the simulated attacks. While you’re at it, test your employees for vishing (voice phishing) attacks too.
  • Engage a white-hat service to continually attempt to break into your network. Also conduct an annual deep dive security audit.
  • Put a law firm specializing in this area on retainer. The legal challenges are complex, especially as applicable laws and regulatory requirements vary from state to state.
  • Physical security: For intruders, “tailgating” into a victim’s offices and sitting down at an unoccupied, logged-in computer is still a popular intrusion strategy.
  • Finally, patch, patch, and patch. Patching is critical, especially for preventing zero-day attacks.

Mitigate: To reduce the damage from a ransomware attack, take steps to recognize attacks early and facilitate rapid restoration:

  • Run a tool that monitors the network for suspicious activity. The tool you select should be AI/machine-learning-based, capable of autonomously discovering good versus bad patterns.
  • Deploy honeypots. Only intruders will hit these, warning you you’re being targeted.
  • Snapshot your data frequently. Snapshots can help you determine when malicious encryption began, supporting both data and system recovery. Backup your data too, of course, but when you’re trying to recover it from a ransomware attack, you’ll find snapshots are sometimes more valuable.
  • Establish IT security breach procedures and document trails.
  • Operations staff should practice tabletop ransomware recoveries at random times – “pop quiz” style.
  • Everyone else needs to plan how they’ll limp along until their systems and data have been restored.
  • Make recovery plan updating a CAB (change advisory board) responsibility so recovery plans don’t get outdated.
  • Keep your platforms and applications current. If you don’t or can’t, reinstalling them might not be possible – the versions you were running may no longer be available from the vendor and your installation files may be corrupted. Server snapshots and change logs are essential.

Insure

Buy cyber security insurance. If you do decide paying the ransom is the prudent course of action, and/or you have to pay penalties for one reason or another, it will help defray the costs.  Your cyber insurance company can also provide prevention, mitigation, and response expertise in the event of a breach.

Dave’s last word:

  • Align ransomware recovery priorities with those defined in your business continuity plan. You won’t be able to recover by flipping a switch. Your business continuity plan will help you with triage.
  • Have a forensics firm under contract and on speed dial. You want them to know you and help you prepare for a ransomware hit by determining in advance what logging they’ll need in the event of a breach.
  • Remember that perfect is the enemy of good. Insisting on unbreakable protection will interfere with establishing better protection.

Bob’s sales pitch: Dave and I hope it’s clear that ransomware isn’t an attack on your company’s information technology. It’s an attack on your company.

That’s one more reason the old-fashioned view that IT has to be “aligned” with the business is inadequate. Check out my recent CIO.com article, “The hard truth about business-IT alignment,” for guidance on how to go beyond alignment, to integrate IT into the business.