Ransomware is today’s trending topic. After the attacks on Friday commentators are discussing what went wrong, pointing fingers of blame and conjecturing how much worse it could get. Ignoring the headlines and political finger pointing, the scariest fact of this whole saga is that the law enforcement agencies and cyber security experts are playing a game of catch up. Although contingencies can be, and have been, put in place no one can predict how this will play out and when it will end. We will just have to wait and see.
What has been highlighted is our dependency on computer systems and just how important they are to essential services such as health care. That the NHS coped as well as it did is testament to its people and should not be under estimated. The impact on services could have been a lot worse, but contingency plans appear to have weathered the storm so far.
The catastrophic consequences of a large scale attack on our computer systems is not a new concept. This scenario forms the plot for numerous fiction films and makes for compulsive viewing, it’s scary and now we have evidence it’s possible. More scary than fiction however, is that the risk of ransomware has been known for some time. In 2016 it was the most prevalent form of cyber attack. This raises many questions.
Why is it that these recent attacks appear to have come so out of the blue?
Why is it that massive organisations such as the NHS appear to have been so vulnerable to an attack that can so easily be guarded against?
These questions are not easily answered and I’m sure there will be lots of deliberation and investigations into these once the dust has settled and the threat of the WannaCry ransomware has been eliminated. But from the viewpoint of a Certified Fraud Examiner and from what I have seen amongst my clients and from talking to people involved in cyber security, here is my perspective:
THE ROOT CAUSE:
The vulnerability in the organisations attacked will have been caused by not being aware of the issue. A lack of awareness means the decision makers do not know the risks they were exposed to and therefore couldn’t plan accordingly. Or secondly, and more worryingly, they were aware of the risks, but did not assess the potential damage of an attack on their organisation. The costs of dealing with it too great, the time to upgrade too inconvenient etc… There will always be a reason.
If it were me, what would I be doing now to ensure my organisation is better protected against ransomware attacks? Apart from the obvious upgrading systems, anti virus packages and ensuring regular backups are implemented I would also be looking at higher level solutions to bolster my organisation’s protection:
Within your organisation how aware is everyone about cyber security? Are you confident that they would be able to spot a scam email or a phishing attack? The more aware your staff are, the harder it will be for fraudsters to succeed in attacking your company. Attending cyber security seminars (and encouraging your staff attend as well) is a good way to learn about the risks and how to avoid them .
TONE FROM THE TOP:
This might sound like a catchphrase from Whitehall along the ‘Blue Sky thinking’ genre, but should be taken seriously. Think about where you work. What is the message from the top in relation to cyber crime and cyber awareness? Do management talk about it/share it with ALL employees? Is there any form of training, or awareness exercises (even if its simply sharing an email news article on the latest scam)? If you’re at the top; how do you approach these issues with your staff, if at all?
The simple point here, is that if you want your staff to care about this issue (and trust me, you do) that message has to come from the top so that everyone knows it is a number one priority and is aware of what they should do should they receive a suspicious email, or if their computer is taken over by ransomware. It’s pointless investing in the latest and greatest in cyber security technology if your staff do not know how to spot the basic ‘red flags’.
I can’t speak for the message throughout the NHS or those organisations that have been hit, but some reports suggest that this ransomware targets systems that are old and out of date. I would think that suggests that there may have been some flaws in cyber security best practice.
This recent ransomware attack has shown how dangerous it is not to update your software. It is not difficult to do; all it requires is a little time. If you hold data, process payments electronically or have critical business functions that are reliant on your computers and software, then you really can’t afford not to keep your software and anti virus protection up to date. If your computer was taken for ransom and you lost sensitive client information, how would you explain this to your clients without a severe loss in reputation? And looking forward with the new Data Protection laws coming to force next May there is also the potential for punitive fines for loss of data.
I would argue that ensuring that your IT systems are up to date and protected is business critical. Get this wrong and the potential adverse consequences on your business could be catastrophic and very costly.
If you’re concerned about your Cyber Security why not come to our Cyber Security breakfast seminar in Guildford on Tuesday 16th May.
Alternatively follow our Fraud and Forensic department on twitter on @TheFraudbusters for regular updates and posts regarding cyber security and fraud prevention.
Views expressed are my own and are not intended to reflect those of Alliotts. Please seek professional advice before taking or refraining from taking any action.