Every time there’s a compliance or security issue surrounding a popular application, most IT security professionals just shake their head in disbelief. When it was discovered this week that the Pokemon Go mobile application (which gathers more personal data than any application has a right to do) is distributed on servers loaded with malware, most IT security professionals quietly fume over why no one is listening to their warnings. After all, this is not the first mobile application to have IT security issues. Remember when it turned out that a lot of those mobile flashlight applications were sending data back to unknown servers in China?
Putting all politics aside, Hillary Clinton’s use of a private email server to transfer sensitive documents has brought up two important issues that business and IT leaders need to address. The first is to establish the degree to which end users are to be held accountable for circumventing an IT environment. The second thornier issue is to determine how organizations can eliminate IT issues that result in end users feeling the need to circumvent those systems in the first place.
There are very few employees who have never made use of a “shadow IT” service to access or share some a company document or file. Those documents may not involve state secrets, but they often contain sensitive customer information or even corporate intellectual property.
July 4th is always a good time to appreciate the perspective of one the most beloved founding fathers of the United States. “Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.” Penned by Ben Franklin at a time when America rebels feared being hanged for treason, those words still resonate with business and IT leaders over two centuries later.
IT security has never been more threatened. Just about every business leader now recognizes the need to create a digital business strategy in order to stay relevant to their customers. New competitors that are leveraging advances in IT are making gains in almost every vertical industry. The potential those startups have to dethrone even the most well-heeled institutions are immense. A wave of financial technology (FinTech) companies are well along the path to doing to traditional banks what Uber and AirBnB did to the livery and hotel industries.
The relationship between IT security and data protection has never been as tight as it should be inside most organizations. In an ideal world, the identification of a potential security threat would kick off a series of backups to help make sure no data gets lost in the event that a security breach occurs. While that theory has been around for decades, the rise of “ransomware” is now turning that best practice into an absolute necessity.
Ransomware makes use of malware to deliver a payload that encrypts an organization’s data. The only way to regain that data is to pay a ransom to gain access to the keys needed to decrypt that data. The only real solution to this problem at the moment is for organizations to regularly back up their data. That way in the event of a ransomware attack, the organization can minimize the amount of data at risk.
Unfortunately, a new survey of 1,138 companies conducted by KnowBe4, which specializes in IT security training for end users, finds if faced with four hours of lost work from ransomware encryption, only 40 percent would rely on backup. Additionally, just over half (51 percent) said they would just reformat and start from scratch. When asked if they were confronted with a scenario where backups had failed and weeks of work might be lost, 42 percent said they would pay the ransom before doing anything else.
Of course, the amount of ransom to be paid depends on the nature of the data being encrypted. Most of the ransom fees being demanded are relatively trivial compared to the amount of time and effort currently required to recover data. But, over time cybercriminals can be expected to become more sophisticated and brazen. They will get better at identifying high value targets, and the amount of ransom being demanded will increase accordingly.
For this reason it’s clear that most IT organizations need to revisit their data protection strategies. The first order of business is to make sure that the backup process didn’t fail in the first place. Backup failures are much more common than most IT organizations realize. This is because testing the backup and recovery process is at best sporadic. It’s not until an actual crisis occurs that many organizations realize that the investments in data protection they made, are returning nothing but a bunch of corrupt files.
As cybercriminals become more sophisticated in their use of social engineering techniques to fool more end users into downloading malware, it’s only a matter of time before IT organizations find themselves routinely dealing with these attacks. The issue that many of them are not overly excited about admitting, is the poor state of data management hygiene that exists inside most IT organizations today.
Of course, IT organizations could spend a lot of cycles trying to figure out why this state of affairs has been allowed to persist all these years. But for the most part, that would be a waste of time. The far better thing is to first test your actual organization’s ability to recover files intact in a time manner. Assuming that experience leaves much to be desired, the next thing to do is implement a new data protection plan. The one big caveat, of course, is that now the clock is clicking between when cybercriminals discover how vulnerable your organization is, and the amount of time it takes for your organization to develop, implement and test that new data protection solution.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
For better or worse, the United States government in all its forms is becoming more active in cybersecurity. Thanks to the rise of high profile ransomware cases, Russian hacks into databases operated by Democratic National Committee and an ongoing legal battle over encryption and the right to privacy, politicians and government bureaucrats are paying more attention to IT security.
In fact, at an American Enterprise Institute event this week on Capitol Hill, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) announced the creation of the ‘Senate Cybersecurity Caucus’ to provide a platform for Senators and their staffs to stay informed on major policy issues and developments in cybersecurity. That means it’s only a matter of time before more IT security regulations start to show up as a matter of law.
Cybercriminals may have more technical knowledge than the average thief, but their strategies are not much different. The average thief looks for targets that are easy to rob and offer the least potential for them to get caught. For that reason, robbers tend to avoid houses with dogs or lots of alarms. That doesn’t mean these houses can’t be robbed; it just means the risks versus rewards associated with robbing that particular house make it less likely.
The same scenario plays out with IT security. When cybercriminals detect that there is a lot of well-managed IT security is in place, their first instinct is to go look for easier prey. They may wonder what’s behind all that security, but the cost of hacking through multiple layers of IT security defenses makes it too costly and time consuming for the average hacker to make the effort. Just like everybody else, most criminals have monthly expenses they need to cover.
There’s a natural perception that banking institutions such as the Federal Reserve would be as well defended from a cybersecurity perspective as they are from every day bank robbers. But it turns out the U.S. Federal Reserve was forced to admit this week that is has detected more than 50 cyber breaches between 2011 and 2015, with several of those incidents attributed to “espionage.”
Of course, this isn’t the only high profile breach involving the banking industry of late. Hackers have increasingly targeted SWIFT, a worldwide network for financial transactions managed by a consortium of financial institutions based in Brussels. Meanwhile, in Russia a cybercriminal gang responsible for stealing $25 million was recently exposed.