The cyber attack impacted over 150 countries. At the time you read this the story will have evolved and maybe a complete solution will have been found. Hackers planted ransomeware in computers and networks worldwide and demanded money from governments, businesses, hospitals and doctors and others in order to get back control of their computers.
As of the time this story is written, no one is quite sure who is behind the attack but some are saying it bears the marks of North Korea. Others say whoever they are, they’re amateurs.
The virus hit a security flaw in Microsoft software. Earlier Microsoft sent a patch but a lot of IT people didn’t apply the patch or their companies are using outdated software.
Paul Lipman of the cybersecurity firm BullGuard said systems are vulnerable and crippled by human error and by people to fail to do routine software updates and by employees who unknowingly click on email attachments and then open the attachments that contain the malware.
“This was a completely preventable attack — to the extent that organizations have comprehensive patching systems in place. However, life is never that simple,” he said.
The disaster could have been worse except for the quick thinking of a 22-year old researcher who found a “kill switch” to stop the virus. It involved the purchase of the domain name of that kill switch.
What’s ironic is the research firm IDC said companies and organizations spent $73 billion on cybersecurity in 2016. It may not have paid off.
So what now? How can we protect ourselves from this kind of thievery? The McAfee Threat Report said in 2016 just one criminal picked up $121 million in six-months and netted $94 million in profit after expenses. So cybercrime is very profitable and won’t go away anytime soon.
In 2015 cybercrime losses hit $3 trillion. By 2021 that figure is expected to double. At least that’s the estimate of Cybersecurity Ventures. The 2017 Thales Data threat Report, Federal Edition says a third of federal agencies in this country were hacked and had at least one data breach last year. The report says 96% of federal government agency respondents said their agency is vulnerable to a breach.
The same report says:
• 61% of federal agency respondents are increasing security spending this year
• That’s up from 58% last year
• That’s still lower than healthcare which is increasing at 81%
• Retail is upping security spending by 77%
• Financial services are updating spending by 78%
Cyber security is increasingly important to smaller financial institutions. Data from Nationwide Insurance says bigger companies are doing better but the smaller players are way behind. From 2015 to 2016 smaller financial firms saw a 40% increase in malicious data breaches and a 68% rise in network disruptions.
Tim Nunziata of Nationwide said financial institutions of all sizes needed to be cyber-vigilant.
“Speaking to cyber and E&O claims, I think people when they think about it they think of Target and Home Depot [both suffered massive data hacks in 2013 and 2014 respectively], but the fact is the growing area of claims is in the smaller companies. We’re starting to see these smaller institutions being targeted. We’re seeing an increase in data breaches in smaller financial institutions across the board. They’re maybe not getting as many headlines, but they’re certainly driving trends,” he said.
Worse, the attacks are coming from all kinds of different sources.
“It’s a whole slew of security breaches — there’s the malicious data breaches, privacy, unauthorized contact, unintentional disclosure… Everybody knows the world is getting smaller, everyone is gathering more and more information, and it’s just creating more and more opportunities for there to be a potential issue — whether it’s a breach or a security privacy issue,” Nunziata said.
What all cyber experts say is it is critical that people begin to understand cyber attacks and how to protect themselves from them. An article from Dark Reading concludes there are 10 myths that individuals and businesses believe that basically set them up for a fall.
1. Only large entities are attacked. Not so says a report from Radware. The 2016-2017 Global Application & Network Security Report said 98% of all organizations were attacked at least once in 2016 and 31% of those attacks were aimed at small and mid-size businesses with 250 employees or less.
2. Threats are overrated. The McAfee Labs’ Threats Report said the average mid-size company of 1,000 to 1,300 employees sees 11 to 20 incidents a day. Larger companies with up to 5,000 employees experience 21 to 30. The biggest companies of 5,000 or more employees get hit about 31 to 50 times a day.
3. The bad guys are on the outside. Nope. Radware’s report says 27% of crimes are from malicious insiders or someone on staff who accidentally does something. Some think the figure is low. A report from Verizon said 30% of phishing messages are opened. And 12% of those actually click on the malicious attachment. It just takes one to cause major problems.
4. Companies are well-prepared. Again, no. BMC and Forbes talked to companies and found 68% plan to beef up incident response capability in the next year. Translation: most are still unprepared. Reports say 40% have no incident response plans and 70% have no cyber insurance.
5. Insurance. Cyber insurance is booming, yes and PricewaterhouseCoopers (PWC) says annual gross written premiums are likely to triple from $2.5 billion in 2015 to $7.5 billion by 2020. Insurance is helpful but it’s expensive and doesn’t cover all attack expenses or damages and helps but can’t take complete care of one of the most serious — reputation damage.
6. Personal computers have antivirus and encryption and that makes them safe. Not. And it’s a big-time NOT. By 2020 PCs will have a minor impact when it comes to cyber attacks. Most people by then will be functioning entirely on mobile devices like smartphones and tablets. Wireless devices — says Cisco — account for 66% of all IP traffic worldwide already. They are almost all used from time-to-time at insecure environments like Wi-Fi hotspots. And a lot of devices end up stolen and aren’t password protected and are easy to break into anyway.
7. Firewalls work very well and so does network security so no need to worry. Again a big NOT. The attacks usually aren’t at the network level. They’re aimed — at least of 57% of them — at applications and not all applications are all that secure. Oddly, though most attacks are aimed at applications, just 18% of IT security funding is spent protecting them.
8. Millennials are savvy and digital geniuses and therefore more cautious. Wrong. In fact, it’s more than likely exactly the opposite. They’re too relaxed and less concerned about privacy than their older brothers and sisters, parents and grandparents.
9. Strong passwords are the solution. They are powerful, yes. But they only work well when other measures are put into place like two-tier authentication. Strong passwords are also problematic because people have trouble remembering them. So they put those passwords in some document on their computers. That’s a bad idea. The solution some think is to use strong passwords and to then change passwords more frequently. That is another huge set of problems.
10. Just hire more IT security gurus and all will be well. Again, a huge myth. finding and recruiting IT people who can actually do the job is very difficult. Keeping them is another issue. Currently there are — worldwide — one million job openings. By 2019 — Cyber Security Ventures says — there will be 1.5 million openings.
Source links: The Washington Post, Dark Reading — link 1, link 2, Business Insider, Insurance Business America