The wide-ranging, well-coordinated ransomware attacks that began last Friday were always inevitable. While this may act as a wakeup call, until basic cyber hygiene is taken seriously, these attacks will continue to happen at this scale.
The inevitability of Friday’s ransomware deluge on worldwide institutions sits on three strands: Organizational “technology debt” management, ill-informed risk management decisions, and poor existing basic cybersecurity hygiene, exacerbated by a confused security marketplace.
“Technology debt” is the time, human resource, financial resource and operational disruption needed to implement IT system updates—including security measures. All corporate levels adopt and integrate new technology at speed to enhance business efficiency, but alongside that, the technology debt continues to grow.
Re-prioritization of these resources happens regularly due to hugely competing demands. When activities such as updates do not happen because of re-prioritization, then the technology debt grows with significant added interest. Eventually, the technology debt becomes unaffordable and remains untreated. As with all liabilities, a carefully managed technology debt is an acceptable business reality. But those organizations who had lost control of their technology debt were the most affected on Friday.
Managers made strategic decisions governing investment and prioritization either through ignorance, or because the threat and risk wasn’t presented to them in a form where a more informed decision could be made. In short, they prioritized resorces in the wrong place for well-intended reasons, or in the right place, but with ill-informed and incorrect understanding.
Finally, poor existing basic cyber hygiene was exacerbated by a confused security marketplace. Successful proliferation of ransomware was greatest in organizations where the basic digital security hygiene measures were absent. The cybersecurity market has been made deliberately difficult to negotiate. Solutions appear to be complex and isolated, prices are eye-wateringly high, and it is challenging to balance advice to help determine what protection is needed from which threat.
So a limited budget seems to buy very little to meaningfully reduce risk, and the seductively presented wares on offer provide little assurance that the effect needed will actually be achieved.
All of this means that an attack like this will almost certainly happen again. Friday’s criminals waltzed into these virtual organizations where they knew every window or door was open, or could be easily opened, and went to work with impunity. Once discovered, the only solution available was to shut down everything, whether the robbers had been there or not, simply to stop them from spreading. (At that point, it wasn’t known exactly the extent to which they could spread.) And so everything was shut down, business then stopped and the media went to work.
Cybercrime is a 21 st century fact and it is a risk we have to manage. Organized and opportunistic criminals have existed for centuries—the digital world is no different. New techniques, opportunities and criminal endeavors will keep evolving and defenses have to evolve with it. What is within everyone’s control is whether the next event has the wide-ranging operational effect and is as easy to perpetrate as Friday’s event.
So what can we do? We could keep blaming the NSA for allegedly authoring and losing the exploit, or blaming the alleged Russian-linked “Shadow Brokers” hacking group for releasing the exploit, or blaming the North Korean based “Lazarus” group for allegedly perpetuating it. Or we can be constructive and look at the shortfalls in the area of prevention.
To this end, companies must make efforts to improve organizational leadership in order to understand the business risk of contemporary cyber threats. This will allow companies and organizations to better understand from where and whom the threat comes. Organizations need to make strategic, informed risk and investment decisions with knowledge from informed sources. They also need to improve education and understanding of this modern business risk among every board member and executive leader.
Technical debt is inevitable but it can be kept under control while continuing to inform an organization’s strategic risk management. Basic security hygiene—such as measures laid out in the U.S.’s National Institute of Standards and Technology’s (NIST) cybersecurity framework—is essential and needs to be made before considering expensive, shiny so-called “silver bullets.”
IT and information security service and product vendors who now circle over Friday’s victims must make the necessary security products and services affordable to all. Excessive pricing and incomprehensible selling inhibits purchasers with limited budgets. The sensible antivirus vendors worked that out some time ago; responsible modern vendors need to catch up.
In the U.K., the new National Cyber Security Centre must make standards regarding compliance, certification and accreditation more relevant, affordable and acceptable to those who require them, rather than to those who sell them. The U.K. will only achieve the aspiration of “the safest place in the world to do business (and run public services)” if these measures actually support, not inhibit, security.
It isn’t either expensive or complicated to understand and manage these risks. But while it is still made so, incidents like this will continue and the real world effect will be greater than it needs to be.
Brian Lord is the former deputy director of GCHQ Cyber and Intelligence. After 21 years with the U.K. intelligence agency, Lord is now managing director of security firm PGI Cyber.