We need more cyberprevention

The recent WannaCry cyber attack has highlighted the need to invest more time, money and resources in guaranteeing the security of users’ data.

Telefonica, Iberdola, and Gas Natural, along with hundreds of other organizations, suffered a cyber attack some weeks ago. Over 75,000 computers in almost a hundred countries were attacked in this massive hack. Hackers penetrated Telefonica and other organizations like the National Health Service in the UK, and launched a software called WannaCry that was originally developed by the National Security Agency as a cyber weapon. The software spread rapidly like a “worm” and encrypted files in the affected computers. A message on the screen then appeared demanding a ransom of 300 dollars in bitcoin to release the file. Thankfully, unlike in the case of NHS, Telefonica’s services seem to have not been affected to any great extent. By the time the worm crossed the Atlantic, alarms had been raised and companies in the US were more prepared.

This year alone we have seen over 20 major breaches and almost 2 billion stolen records ranging from email addresses to full bank account details according to reports by Informationisbeautiful.net.  Yet public attention appears to be short term.

Most users appear to be ignorant of the impact of a data breach on their daily lives. Who is to blame? But more importantly what can be done?

Cyber threats, like any other threats, are a multiple of the intent and  capability. A few months ago the world saw the world’s largest Distributed Denial of Service (DDoS) attack on an Internet company called Dyn. Internet services like Spotify, Twitter, Paypal, Netflix etc. were affected. In a DDoS attack, the perpetrator attempts to disable the website of a target firm by repeatedly visiting the website millions of times per second. This particular DDoS attack is attributed to one angry individual with a grudge against Sony and the playstation network. In order to launch this attack this single individual bought a piece of software from the dark corners of the Internet. What once required the capability of sophisticated programmers could now be purchased for a mere 7500 dollars. Given the relatively non-criminal intent and the cheaply available capability, despite the extent of affected services, the threat was rather limited. Most firms have learned how to protect themselves from the rather mild threat of a DDoS attack. But this is not always the case.

In the ransomware attack that we are seeing at the moment the intent is clearly theft. Unlike a DDoS attack that only brings down a website, a ransomware attack implies that the hacker penetrated into the network of the organization, and actually accessed files which the hacker then kidnaps and trades their return for money. The former is more like defacing the wall of a business with graffiti to send a message while the latter being like breaking and entering to steal. Quite naturally, ransomware attacks or other attacks that involve breaking and entering require greater capability. With a more serious intent and a greater capability, the threat is clearly more pronounced. One would therefore expect that large organizations like Telefonica and Gas Natural would have paid careful attention to their defenses to thwart such serious threats.

The interesting thing with the latest attack is that the patch that could have prevented this attack was released by Microsoft in March when it was first detected. This raises the pertinent question of why these firms had not updated their systems with this solution? Such patches are free and updating them is strongly recommended by Microsoft.

Did such large firms with enormous IT budgets not proactively apply this patch?

Every 6 months you and I have to get our cars certified to be non polluting. Most automobiles do not dramatically move from non-polluting machines to mobile death traps in 6 months. Yet every 6 months we ensure that our cars have not crossed the limits even by a few percentage points. Meanwhile, in a matter of a few hours we have seen IT systems go from “working fine” to “sorry we lost all your data.” How can it be that IT systems are not audited every 6 months?

It is understandable that if these threats were weak it would not merit investments in a stringent security policy. However, with the recent attacks it is clear that the threats are not mild. The intent is not to just embarrass an organization but rather to hold it hostage. The capability deployed is not something developed by amateurs and sold in the online grey market, but somewhat misplaced cyber-weapons developed by international government organizations.

It is time we held firms accountable, time the press did not forget so easily  and time the government put some real pressure on organizations to invest time, effort and money in ensuring that user data is secure.

Kiron Ravindran. Professor. IE Business School