Last fall, I had one of those days. You know, a day where things just don’t go as planned. The day started out with a training session on ransomware. Unfortunately, as such programs are apt to do, it made me start to think that selling everything I have, disconnecting from the wired world, and moving to some remote island where I could live out my life selling tapas on the beach might be a really good idea. I suspect more than a few of you might have responded similarly.
What got me going was learning about one of several new ransomware “business models” hackers have come up with. In short, after a computer or network is breached and the data encrypted, some hackers are starting to offer their victims two choices instead of the normal one, which was to pay the ransom amount in order to obtain the decryption key and get their files back. Now the victim can either pay the ransom or they can help spread the ransomware by sharing a malicious link with two people they know. If those two unsuspecting folks become infected and pay the ransom within seven days, then the initial victim would receive the decryption key and be able to recover their files for free. Now isn’t this a heartwarming development.
As soon as my training was over, I started going through my email to include reading all the tech stuff I normally review every day trying my best to stay current and informed. Of course, the headlines were what they are on any given day nowadays. “Hackers Named Runner-Up for Time Magazine Man of The Year,” “Governments and Nation States are Now Officially Training for Cyberwarfare,” “The Botnet That Broke the Internet Isn’t Going Away,” and “Ransomware Now Being Used to Cover Network Intrusions” were just a few of the delightful reads that morning.
Then the phone rang. Seems a couple of lawyers came to work only to discover that their firm had been broken into and three laptops containing all kinds of client information were on the list of items taken. Of course, the first question they asked was what should they do now. It’s a legitimate question and one deserving of an answer; but I needed to know more. It was then I learned the laptops were not password protected, were not encrypted and contained no laptop tracking software. With that good news, my answer was the only thing that could be done now was to take whatever steps they could to prevent anyone from using the stolen hardware to break into the firm’s network. They should also file a claim with their cyber insurance carrier and notify all clients impacted by the theft. Beyond that, everyone was going to have to live with the reality that the data on those laptops was in someone else’s hands, and may in fact, eventually fall into the hands of a number of others, none of whom will have the firm’s or the firm’s clients’ best interests at heart.
After this call ended, I just sat there shaking my head wondering why these lawyers took no steps to try to prevent access to client and firm data should something unexpected, like a break-in, ever occur. Sadly, I have an inkling. Security experts tell me they see this all the time, which makes me think it gets back to how I responded to my morning training. We live in a crazy cybercrime world and, the crazier it seems to become, the more we all look for ways to escape from it, be it a dream of getting away, going into denial that something bad will ever happen, or ignoring it because there’s nothing anyone can do anyway. While all are normal responses when things seem overwhelming, they can also lead to serious trouble if any particular response prevents someone from taking steps to responsibly deal with the reality of the situation. This is what I believe is behind a failure of a firm to take proactive steps to secure all tech. In all seriousness, I’ve seen it in the eyes of too many. We’ll be talking about things like the use of encryption, of strong passwords coupled with password managers, or even the necessity of ongoing cyber security training when the willingness and motivation to do something just seems to disappear.
Look, I really do get it. As the Borg, an alien race in the Star Trek Next Generation TV series, used to say: “Resistance is futile.” That line hits home for me when I start to think about cyber security because the headlines tell us daily that it’s a losing effort so why even try. But try we must. If the lawyers mentioned above had just taken the single and simple step of encrypting the hard drives of those laptops, the difficult and problematic task of notifying all clients of the breach, not to mention the potential long-term fallout of having their own personal identities stolen, could have been avoided entirely.
If you count yourself as one of the folks who believe it won’t ever happen to you, feel that ignorance is bliss, believe there’s nothing you can do to prevent it so why bother, or are just counting the days until the dream of getting away can become a reality, all I can say is this. Yes, becoming cyber secure can be a pain. Do it anyway. Trust me, the headache that comes with being proactive is going to be far less than the one that comes with being a hacker’s next victim. Want proof? Look at the impact of the global WannaCry ransomware attack and the far deadlier GoldenEye wiper malware attack that occurred shortly thereafter. (And for those of you unfamiliar with the term wiper malware, a wiper seeks to permanently destroy data. The attackers don’t give a hoot about playing the ransom game.) If these two global attacks don’t underscore that it’s only a matter of time, I don’t know what else I can say to try and convince you to take action other than this. Once disaster strikes, call your IT support and see if there’s a way to pick up the pieces. Just be sure to sit down before placing that call because you’re not going to like what you’re about to hear.