You Can Learn from Suffolk County’s Mistakes

About a year ago Suffolk County on Long Island in New York was taken out by a ransomware attack. It took months to get back online.

So what did they do wrong? Pretty much everything.

First, they had to find a scapegoat, so they fired their IT director. Did he do anything wrong? No. In fact he had virtually no authority to do anything.

Next, even though Suffolk County is home to a million and a half residents, the County had no Chief Information Security Officer. They finally hired one 9 months after the attack.

Next, they allow each elected official to run his or her IT show. Not only is this a huge waste of money, but there is no synergy between departments, no way to learn from what others are doing, etc.

More than a year after the attack the County still hasn’t issued its report on what happened. Do you think that this is possibly the real root cause. How long could it reasonably take to generate this report?

The County already has a requirement for an annual cybersecurity report. That law was passed in 2018. The County has produced exactly one annual report in five years. That report said they should have a CISO – and the recommendation was ignored.

The county said this was all Covid’s fault. I don’t think so.

Also, the county did not and still does not have cyber insurance. Would you drive a car without insurance. You can, but it is very risky. What about your house? Homeowner’s insurance is not really optional these days.

Learn from other’s mistakes – it is the least expensive way to learn. Credit: Long Island Newsday

by