Here we are, at the end of the first month of a new year and where are we? Well I guess that very much depends on who you are. If you're a hacker, then things are looking good for you. If you're a consumer, the evidence suggests you won't be fooled twice, but is that good enough? And if you're a business, you've got the same security problems as last year but with enhanced threats from hackers and careless employees as well as enhanced expectations from consumers. So exactly what is happening in today's security world and what does it mean for you?
A billion dollar industry
I say that things are looking up if you're a hacker on the back of the FBI saying that ransomware could be a billion dollar industry soon. They reported an astonishing rise in the crime with losses of $24m reported in 2015 but losses of $209m reported in just the first quarter of 2016. While this is, of course, a US statistic, it's a problem that is clearly not confined to the US with new research from Radware revealing that 49 per cent of European businesses confirmed cyber ransom as the top attack motivation for last year.
But this rise in ransomware attacks, in itself, isn't the most worrying aspect of these developments. What concerns me most, and what I find entirely unacceptable, is the other main statistic in Radware's research findings that claim 5 per cent of European businesses are keeping Bitcoins to pay the ransom in order to regain access to their systems. Is that now a security solution?
Negotiating with terrorists
Not wanting to steal the US Government's mantra of 'we won't negotiate with terrorists' but isn't paying the hackers exactly that? And isn't that exactly the reason why ransom attacks are increasing? Do those companies paying the ransom not see the correlation here? And do they not repeatedly get hacked because the hackers know they'll pay? Isn't their behaviour, in fact, making it more difficult for them, and everyone else, to secure their systems?
UK schools targeted
In related news in this first month of the year, the UK police department has had to put out a warning to UK schools to be aware of a scam whereby a caller claims to be from the Department of Education and asks for the personal email address of the head teacher using the reason that they need to send them confidential information. They then send files containing ransomware and demand payments of up to £8,000 to regain access to their systems. Films, TV shows and even the media would sometimes like us to think of hackers as those trying, benevolently, to expose a truth but as we can see from this example, it's often just about making profit.
The case of the missing 'network attached storage' device
At the start of the year, we also found out that the Information Commissioner's Office (ICO) fined Royal & Sun Alliance £150,000 after a device with the personal information of almost 60,000 customers was stolen. The device was described as a 'network attached storage' device and it was reportedly stolen by a person who had access to Royal & Sun Alliance's data server room based in Horsham.
There are a couple of interesting aspects to this story. Firstly, the data breach at the server room is reported to have happened between mid-May and the end of July 2015. That's a 10 week period when the organisation didn't know where that 'network attached device' was or that there had even been a breach. Secondly, they were fined £150,000 - that's essentially the ICO charging Royal & Sun Alliance less than £3 for each person's data that they lost. That doesn't seem very much, and certainly not enough to warrant the Board taking IT security seriously. And it's also not representative of what the new EU General Data Protection Regulation's fines for data breaches of up to 4 per cent of global annual turnover will be enforcing just next year.
Of course, the fine is 'up to' 4 per cent but the fact that Royal & Sun Alliance can't say when the data was stolen to less than a 10 week period suggests they're not exactly doing their best to secure their customer's personal information. Furthermore, if it was in line with the 4 per cent fine that's coming down the line, it would suggest that Royal & Sun Alliance's global annual turnover was less than £4m, although it should be noted at this current time that the maximum fine from the ICO is £500,000.
Where are we so far this year?
So to sum up, we have companies actively choosing a security strategy of paying the hackers to regain access to their systems, the FBI saying ransomware is going to be a billion dollar business, employees not educated enough to, firstly, not give out personal information over the phone, and secondly, open and download attachments to what is, effectively, a phishing scam with a human touch, a huge corporation seemingly not taking the protection of their customer's personal information seriously, and the ICO behaving like it's usual toothless wonder self by dolling out a negligible fine that won't make anyone at Royal & Sun Alliance or any other corporation bat an eyelid.
What about consumers?
In terms of how this affects consumers, research from the Office of National Statistics this month claimed that victims of cyber crime were unlikely to be victims more than one. The experimental research shows 82 per cent of victims were only hit once, with 12 per cent reportedly hit twice and six per cent claiming to be victimised three or more times. Meanwhile, research from Gemalto suggests that consumers, craving convenience, remain quick to give over their personal details to companies but 70 per cent of respondents said that organisations are responsible for securing their data while 29 per cent of those surveyed didn't think organisations were taking that responsibility seriously. Of course, to a certain degree consumers can take their business elsewhere but that is only possible with private companies; we have no choice but to share our personal information with public services.
Last year, I thought we needed a shift in mindset towards educating employees about security and not just IT focused employees but everyone because the nature of IT these days means that everyone can plausibly be a risk, an insider threat, either by mistake or by design. But now, it seems like we need a lot more than that; it seems that we need a total shift in mindset towards the entire concept of security; we need to go back to the drawing board. It's clear that breaches are still happening, be they physical or online. It's clear that both organisations and consumers know that there's a problem, yet rather than progress towards a solution, it seems, from the first month of this year at least, that we're going backwards. Maybe when the GDPR comes into force next year and the first huge fine is given to a company for a breach, companies will finally take security seriously.
Norman Shaw, CEO, ExactTrak