Ransomware – the attack of the commercial hacker
The weekend's headlines were full of news of the most recent, and audacious attack on the data and operations of the UK NHS, among others. Databases were locked down and encrypted by malicious software, and accompanied by a demand for €300 worth of Bitcoin in return for re-instating access to the data.
Some elements of this latest challenge to system security are particularly worrying – the malware exploits weaknesses in systems which are largely based on, or running off, Windows XP – at least two generations off the most recent version of such software. Also of concern – Microsoft published a patch for this particular strand of malware earlier in the year, meaning that many of the systems impacted by the attack had not been recently updated with protective, anti-virus packages.
There is something eminently commercial about the use of Bitcoin, the newest and most process-efficient currency in the world today, as a means of generating revenue for these miscreants. Hacking has traditionally been a disruptive tactic – as much an attempt to gain reputational credit for breaching the defences of large organisations as a show of technological innovation and creativity to keep ahead of commercial firewall software.
The fact that the hackers are resorting to charging a ransom, with no guarantee that the encrypted data will ever be released and returned, is depressingly familiar to those of us to keep watch on global, geopolitical trends. The fact that the ransom is relatively small and innocuous, relative to the disruption and chaos being caused, is evidence that disruption remains the primary objective.
But the most worrying of all, and a constant reminder that our security is only as strong as our weakest element: for the malware to work, someone within the organisation had to open an e-mail, click on a link or initiate an application without first checking that it was genuine and trusted.
A couple of years ago, we asked a large number of firms to account for their recent data breaches, and in particular, to categorise the source of their breaches. Over 70% indicated that their breaches had been caused by the 'deliberate, non-malicious actions of staff'.
That is, the vast majority of security problems were caused by members of staff doing something to cause the breach, not to damage the firm reputation, impact its business or embarrass its brand, but because they simply did not know any better.
So what can we learn?
- Deploy patches and software upgrades in a timely fashion, as they are being issued – to delay is to leave your systems and hardware exposed as a 'weak link'
- Train staff to exercise caution – to challenge unsolicited correspondence or communications from an unknown or unexpected source
- Keep abreast of developments in the cyber-war, the latest trends and techniques being used to stay ahead of 'traditional' security
- Ensure that your contractual arrangements with your third-party service providers, IT support and data hosts cover THEIR infrastructure, THEIR software and THEIR staff acting in a secure, competent and alert manner
- And, when in doubt….. ask! Check with IT before opening a link or initiating an application
Privacy Engine is particularly mindful that we are fast approaching the one-year mark prior to the deployment of the GDPR – the General Data Protection Regulation – which will not protect your data anymore, or any better, than its predecessors. It will, however, provide many reminders in the coming months that organisations have an obligation to keep their data safe and secure, and a liability to their customers and the Regulator if they fail to do so.