The Underestimation Of Cybercrime Makes You WannaCry
July 20, 2017
As much as I tried to combat the urge, the opportunity to drop that pun in the title of this piece was so overwhelming as to succumb. But seriously, the WannaCry virus that crippled large parts of the NHS (and as I write this a new virus has attacked the accounts of MPs), looks to be the tip of a very unstable iceberg that experts have been banging a collective drum about for years, but it appears that the beat has fallen on deaf ears.
What’s most worrying is that the sectors that are most susceptible, ie global government organisations, are not leading the way to combat the growing risk of serious cybercrime. Not only are they not leading the way, but they are so far behind the curve it’s scary. Malware very often exploits openings in old software versions, which points the finger at IT leaders not having a bulletproof update and patch process in place. This sort of organisational laziness is both widespread and unforgivable.
For now, we won’t go into how or why the WannaCry malware virus actually came from the US Intelligence community, but suffice to say that cyber criminals have access to a rolling supply chain of ever efficient ways to cripple businesses and extort money. Combine this with the fact that there is a huge amount of software operating with vulnerabilities and you can quickly see how big of a problem this really is.
So why do businesses not seem to be listening? PwC published a report last year that singled out the UK as a hotbed of economic crime, highlighting the fact that cyber crime was now a board-level issue but that companies were not taking it serious enough. Amazingly, approximately 55% of businesses fall victim to economic crime, with cyber crime making up almost half of that figure. Yet PwC’s report found that a third of surveyed firms did not have any plans in place to step up their fight against digital criminals.
The C-suite is partly to blame. Many of them cut their business teeth in an era when carrying a mobile phone around was a strenuous workout. Very few will come from a tech background, if any, so it is imperative that they bring on board IT specialists who can implement a proactive process. The C-suite needs answers to these types of questions:
- How are we informed about current cyber threats?
- Do we have an ongoing process of protection and a process if we are affected?
- Do we understand the current threat level?
- Are we detecting attempts to undermine our systems and what is their frequency?
- Do we have a crisis team in place?
- Is our client data encrypted?
To be on top of all of these issues, someone at board level needs to own cyber security, whether that’s a CTO, CSO, CISO or CCSO. Trusted cyber-security relationships need to be developed in order to stay in step with the changing threats, while a regular risk-management review should be added to board meeting schedules. If those at the very top of the organisational structure can show that they are taking the threat very seriously, then this attitude will filter down through the rest of the company. It only takes one person to let their guard down and click on a link or open an attachment and a company could be facing significant embarrassment coupled with severe financial loss.
Must read: The human point of cyber security