Close this search box.
Close this search box.

The Colonial Pipeline Breach Highlights Risk For All Companies

© AdobeStock
CEOs, and their CIOs, shouldn't base their cyber defense strategy on potential government action, but rather take proactive steps to address any potential weaknesses in their networks and to limit the fallout from a successful attack.

If any company’s leadership hadn’t been paying close attention to the growing threat of ransomware attacks, the Colonial Pipeline incident  should serve as a loud wake-up call.

The Colonial incident is far from the first ransomware attack to disrupt a U.S. company’s operations, but it stands out because of the immediate impact it had on critical infrastructure that affects millions of Americans’ everyday lives.

The big lesson from this attack is that virtually any organization can be vulnerable to the scourge of ransomware. While it hasn’t been disclosed exactly how a suspected Russian hacking group gained access to Colonial’s systems, companies that run critical infrastructure should be some of the best protected and have access to support from U.S. government agencies to beef up their defenses.

But just as Covid-19 can lay low healthy, cautious people, ransomware attacks can infiltrate companies that may feel they’ve done the right things and are immune to attack.

Exacerbated by the pandemic-driven work-from-home trends and the growing sophistication and boldness of hackers, the number of ransomware attacks has surged over the past year. The rapidly growing number of hardware and IoT devices that are connected to networks is making it hard for not just IT departments but also operations departments to keep up with potential weak points while increasing the risk of serious safety issues, such as shutdowns of hospitals or transport systems.

The gravity of these threats demands a multi-level response by governments and companies. U.S. regulators need to find ways to reduce incentives and increase deterrence for the cyber criminals behind ransomware assaults. An important first step could be to increase controls over cryptocurrencies like Bitcoin, the anonymity of which has made it the payment method of choice for hackers.

CEOs and their CIOs shouldn’t base their cyber defense on government action, though. They should be taking steps to identify and address any potential weaknesses in their networks and to limit the fallout from a successful attack.

As individuals and remote workers, we should all be practicing basic IT security hygiene to protect our data from bad actors. That includes creating strong passwords, being alert to phishing attacks, keeping sensitive documents secure, and habitually shutting down idle computers and devices, especially routers.

At the corporate level, there remain big discrepancies in how seriously companies invest in cybersecurity and how tightly they enforce procedures.

Companies need to have multi-layered protections, starting with a strong cloud network to perimeter end-point security to avoid that initial breach. An important part of that is ensuring software patches, including anti-virus protections, are always up to date to help eliminate known vulnerabilities.

This sounds obvious, but it has become easier to miss as systems become more complex and patch installations are delayed to avoid interfering with other systems.

IT departments also need to have strong systems in place to monitor threats to their networks and investigate unusual activities. Quickly catching and containing a breach before it spreads to vital systems can make the difference between a minor incident and a full-blown crisis that costs millions of dollars. This can be done in-house or through one of the excellent third-party monitoring services that are available.

Companies should also consider the risks inherent in moving their data to the public cloud. While these services are generally secure, they do increase potential exposure and may not be appropriate for certain sensitive types or data or for companies in critical infrastructure sectors.

The weakest security link in organizations is often human error, a vulnerability that has grown since whole workforces have shifted to remote working arrangements amid the Covid pandemic. It only takes one successful phishing email or weak password to give bad actors the access they need, making it essential for companies to have effective security training programs in place.

Unfortunately, a lot of training efforts become a box-checking exercise and lack incentives for employees to absorb the key messages. A “carrot-and-stick” approach — with warnings about the career consequences of failing to absorb the lessons and rewards for the best performers — can be an effective way to incentivize staff.

It’s also important to have a clear and well-rehearsed plan in place in case the worst happens. Senior executives and IT teams should conduct regular exercises around real-world scenarios in which they have to scramble to respond to an attack and a ransom demand. Executives should know which contacts in law enforcement to call for help dealing with the crisis and gather any information they have on the threat and the group behind it.

Running a tight cybersecurity ship with these practices and precautions won’t guarantee against a ransomware breach, but it will go a long way toward deterrence and minimizing an organization’s exposure and risk when attempted attacks are detected early. As organizations rapidly move to become fully digital businesses, cybersecurity is no longer a “nice to have” — it’s a critical part of the IT infrastructure.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.