The news cycle over the weekend was dominated by reports of a worldwide spate of ransomware based Cyber Attacks.
There is plenty of information covering the how, and the why, and the inevitable finger pointing has started with many looking to allocate blame to various governments and their associated agencies.
Common questions following this type of event are how it happens and how do they get away with it? To answer these in detail would take a while but a very simple explanation is that ransomware is a small computer program, usually delivered covertly by email, that when run locks up your computers, or servers, in such a way that they cannot be unlocked without a special password. This password can only be obtained on the payment of a ransom, hence its name. There is a time limit on payment, usually 72 hours, after which if the ransom is not paid your data is encrypted and lost forever.
The money you pay is transferred in such a way that it is extremely difficult if not impossible to identify where it ends up. This form of cyber-attack has proven itself to be highly lucrative for the criminals. It is difficult to put a figure on the total financial losses incurred by UK businesses to ransomware, as many attacks are not reported, however it is estimated to run into the hundreds of millions.
Understanding how an attack happens is helpful in thinking through how to protect yourself in the future. Remember that ransomware is only one of many cyber threats that can hit a business and an individual, and new threats are being uncovered all the time.
There will of course be various demands for someone to do something to stop this sort of cyber attack. In fact a lot is being done internationally, nationally and regionally but the hard reality is we all need to shoulder some of the responsibility both as individuals and as businesses.
As individuals we are all told to manage our passwords and accounts responsibly, the government, the banks, social media, and others continually remind us. We are also told not to click on suspicious links that we receive in our emails or text messages and to never open attachments that we were not expecting or are unsure about. How many of us really take these simple pieces of advice seriously?
The UK government in consultation with experts launched a list of 5 key technical things to do in order to protect a business or organisation. These are collectively known as Cyber Essentials.
This a good practical start, and is estimated to protect against 80% of the most common cyber attacks, including this recent one according to the experts.
There is also a certification process that helps businesses and organisation ensure they have put in place Cyber Essentials as it was intended to be used. Trading with another business or organisation that has the certification gives confidence that security is being taken seriously. Adoption has unfortunately been slow.
Coming down the line are the new General Data Protection Regulations (GDPR) that come into force in May 2018. These new laws govern how data about individuals is collected and managed by businesses and organisations. In addition it stipulates that the data needs to have adequate protection. This points back to Cyber Essentials as a solid place to start. However, the GDPR is more than just a set of recommendations it is a legal requirement which, if not complied with, can incur significant financial penalties. Following a Cyber Incident or data breach the Information Commissioners Office (ICO), who have the responsibility for enforcing GDPR, can levy fines if they find that security and data protection was not at an appropriate level.
If we look at the physical world as an analogy, we have the armed forces, the intelligence services, and the police who protect us at the international, national and local level, but we are still expected to lock our doors, be aware of who and what is around us and to take care when crossing roads, i.e. take a sensible approach to basic security and safety. The world of Cyber is the same, the government institutions can only do so much, we as businesses, organisations and individuals need to do our bit.
It is universally believed across the political and business spectrum that cyber-attacks will continue increasing in both frequency and severity. As bad as the recent one was, recovery appears to be fairly rapid and as yet we have not heard reports of anyone being seriously hurt. The next one could be far worse, governments and their defence and security teams will be doing their bit. But without businesses and individuals stepping up their game there are gaps in the fence that the attackers can get through.
To learn more about Cyber Essentials and the General Data Protection Regulations contact the National Cyber Skills Centre