Over the past five years, two major themes have boosted awareness around data protection and cyber risk – data loss incidents and widespread software vulnerabilities. Today, a third – ransomware – has risen to prominence, currently representing the primary driver for security awareness and data protection in UK organisations.
From Adobe to Sony – data increasingly unsafe
With a long history stretching back as far as the HMRC CD-ROM debacle, which concerned 25m people, data loss incidents have continued to grow in prominence and frequency. Data loss from global brands like Adobe, Yahoo!, Sony, eBay and many more have had the public asking whether businesses are well enough equipped to secure their data.
Heartbleed sees more data haemorrhaging from firms
Simultaneously, serious software vulnerabilities – some of which are no doubt taken advantage of by hackers in many high-profile data breach incidents – gained massive, mainstream media attention. First came Heartbleed, then Shellshock, followed by POODLE and Sandworm. From this point, further questions are asked of employers and their attention to – and investment in – cyber risk.
When hitherto unknown – “zero day” – vulnerabilities in software and hardware widely used by businesses are suddenly disclosed, what hope do organisations have of guaranteeing that customer data will remain fully protected?
Many are starting to believe that it’s not a case of “if”, but “when”, meaning bosses must concede that they will face data loss at one stage or another, and that they must invest more heavily and diversely in mitigation, response and backup technologies, in addition to the existing prevention and detection tools which are clearly shown to be failing.
Ransomware to the fore
Most recently, cyber risk incidents and disclosures of vulnerabilities have given way to hard-hitting ransomware outbreaks.
A strain of malware which can be spread in the usual fashion – by infected email attachments or malicious links which exploit software vulnerabilities – ransomware is designed to lock systems and encrypt data unless a fee is paid or action performed.
Ransomware has a long history, but it first entered the wider public eye a few years ago when CryptoLocker began spreading. What set CryptoLocker apart, and what has set a precedent for future ransomware strains, was that, thanks largely to the anonymity it provides the criminals behind the attacks, it demanded payment in the cryptocurrency “Bitcoin”.
Whether those affected by ransomware should actually pay the ransom has been widely debated [they shouldn’t]but, either way, outbreaks within organisations will have an immediate, devastating impact.
It will make you WannaCry
On Friday, 12 May 2017, the WannaCry ransomware attack began rapidly spreading across the globe. Affected organisations included FedEx, Nissan UK, Telefonica, the NHS and many more. The timing of the attack, right ahead of the weekend, only added to the desperation to restore systems. Many businesses simply had to resort to paper and pen while IT staff grappled with the sheer scale of the outbreak.
Organisations who paid the ransom took a chance that those behind the attack would provide the means to decrypt data while those that didn’t simply had to set about factory-resetting, or restoring from back-ups.
Petya or not – the threat to data intensifies
On Wednesday, 28 June 2017, a variation of a previously seen strain of the Petya ransomware – since dubbed “NotPetya”, began spreading. Initially concentrated in Ukraine, the attack began spreading widely, affecting UK organisations such as advertising company WPP. At the time of writing the motivation behind this attack is still unclear – some researchers have claimed NotPetya was designed to simply destroy data, rather than generate revenue from ransom demands.
Can the threat ever be neutralised?
What we have learnt is that, despite all the cyber defences in the world, if a vulnerability exists that isn’t yet known about and patched against, an organisation is at risk from future ransomware attacks.
It’s also true that smaller and growing businesses with limited IT resources face an even greater struggle to defend against the barrage of cyberattacks and mitigate the cyber risk of data loss. Businesses should ensure that they are training staff so that they understand cyber threats and how actions can place corporate data at risk, with this information then reinforced through easy-to-read policies.
First and foremost, organisations can no longer rely simply on preventative cybersecurity measures to keep data secure from new attacks. It’s time to implement more comprehensive, multilayered defences that include data backup, enabling bosses to quickly revert to a healthy point prior to an attack taking hold, regardless of its timing or sophistication.
Andrew Stuart is managing director of Datto EMEA