2017 New Year’s Resolutions
- Details
- Created on 28 December 2016
- Written by Steve Burrows
Happy New Year to y’all - and thank you for reading. From an IT perspective 2016 was dominated by cyber security and data protection issues. Actually I’m never really sure these days whether I should say “cyber security” or “cyber crime” because such a high proportion of “cyber” incidents, whilst they are breaches of security, are intentional crimes committed for profit. If an authorised person enters your premises and takes away your possessions that’s normally a crime, even if you were so stupid as to leave the front door unlocked and open.
Anyway, whether we refer to cyber security or cyber crime, 2017 is going to be much worse. I don’t know if you have made any New Year’s Resolutions for your business, but you can do yourself and all of us employees and customers a favour by putting “Cyber” at the top of your agenda for the coming year - if you want to stay in business.
You probably remember reading about the TalkTalk hack in late 2015. The wheels of justice grind slowly so the 17 year-old perpetrator finally appeared in court in November 2016. The UK information Commissioner fined the company £400,000 for its lax custodianship of customer’s data, which is peanuts compared to the actual costs estimated by the company to be around £60,000,000 and the loss of 180,000 customers.
In December 2016 the ailing Internet services company Yahoo!, once a rival to Google, was forced to disclose the loss of information pertaining to one billion (yep, 1,000,000,000) customers. The actual theft is thought to have occurred in 2013, and is separate to the Yahoo! 2014 data loss of information about 500,000 customers which the company revealed in September 2016. Yahoo! has been up for sale for a while and since mid-2016 the US telecoms company Verizon has supposedly been working to buy the company for $4.8 Billion. In December news emerged that Verizon will likely walk away from the deal, or seek a substantially lower price. It’s entirely feasible that Yahoo!’s poor cyber security will have cost shareholders over two billion dollars, and if the Verizon deal falls through it’s likely the company will fold altogether.
Need I mention Mossack Fonseca … ?
Enough with the horror stories, suffice to say that protecting customer’s data has become a major issue for regulators, customers, companies and governments around the world. Criminals are stealing and selling customer data wholesale, and making big bucks.
Cyber is not just about preventing data theft however, and the criminal profits from data theft look modest when compared with the potential for the in-vogue cyber crime of 2016 - ransomware. Estimates suggest that denying you access to your data by encrypting your files will have netted the crims around a billion dollars last year, and by my assessment they’ve barely got started.
Most ransomware incidents in 2016 have been attacks on the disks of individual PCs and the network drives those PCs can access. These crude efforts have been sufficient to prevent small businesses, local authorities, hospitals and other “less sophisticated” IT operations from operating - for example Lincolnshire County Council basically suspended operations for a week in February whilst it switched off, purged and recovered all of its computer systems following a ransomware attack. Research in the middle of 2016 showed that over half of UK businesses have been attacked with ransomware, and whilst the majority coped without paying the ransom, the cost and disruption has been significant.
Cyber incidents are up there as one of the biggest risks of modern business, possibly the biggest, but most organisations have not caught up with the rapid escalation of cyber threats. 2016 saw the frequency of ransomware attacks nearly double, and the average ransom value increased by well over 100% - it will be some months before there are final statistics for 2016 but it looks as though criminal gains from ransomware probably quadrupled last year.
So, 2017? Cyber attacks and data protection are going to be a much, much bigger headache.
On the data protection front we need to prepare for the EU General Data Protection Regulation (GDPR). Organisations will need to re-visit the data they hold, their IT systems, their cyber security measures and their data-handling policies and procedures to ensure that they comply with the requirements and spirit of the new EU laws and whatever laws the island implements to achieve an EU GDPR equivalence ruling.
To really achieve GDPR compliance will be a major undertaking, some large UK businesses with very deep pockets are already saying that they will not be able to achieve compliance by the time the GDPR takes effect within the EU. Many businesses will look to do the minimum initially - not because they are negligent but simply because they will be able to comply with the letter of the law much sooner than they can comply with the spirit of the law. This approach will only contain the problem for so long - once the auditors start looking at GDPR compliance the gaps between the written law and the intent of the regulators will soon become apparent. Many businesses will have to hope that they are not victims of data theft cyber attacks during 2017/8, because early exposure to regulatory scrutiny will not end well.
Cyber crime data thefts will escalate this year. By the end of the year I anticipate seeing significant automation of intrusion attempts by criminal hackers. Intelligence services and state-sponsored hackers have already invested in substantial automation of their penetration tools, but as more businesses harden their systems and improve their defences to mitigate the current risk of criminal hacking, criminals will respond by building more automation and incorporating artificial intelligence into their hacking toolkits. The economics are very simple, criminal data theft is a profitable commercial enterprise, so if we, by hardening our systems, make hacking our systems more difficult then the criminals will make their tools more sophisticated and powerful to prevent their costs escalating or avoid going out of business altogether. Whilst successful attacks by “script kiddies” will likely diminish, some of the professional criminal hackers are very clever and technically as or more competent than the folks who sell computer security systems.
Most of all however, ransomware will go big. The majority of organisations hit by ransomware don’t pay the ransom - they clean their systems, recover their data from backups, shrug their shoulders and accept the loss of less important data. They can do this because the effects of ransomware have been quite low-tech - the loss of static files such as documents and spreadsheets on some PCs and file servers, but two developments in late 2016 point to a rapid escalation in sophistication. The first is the development of ransomware as a virus, enabling the ransomware to spread from computer to computer and achieve much more complete coverage of an organisation’s data. The second is ransomware which can attack back-end database servers.
Most proper databases, such as SQL Server and Oracle, have been largely immune to the ransomware seen over the past couple of years - even if the database server has been infected the databases themselves have been safe because of the crude design of the ransomware programs, but the end of 2016 saw the emergence of new ransomware designed specifically to attack back-end databases. Back-end databases are the IT crown jewels of any sophisticated enterprise - lose access to your customer and transaction data and you are out of business. The criminals have raised the stakes meaning that instead of containing and coping with a ransomware attack, organisations which are hit will have to shut down for a prolonged period, or pay up. Even if you pay the ransom there is no guarantee you will get your data back, or get it back quickly, and the cost of being completely out of action for three days, not having access to your customer database, will be substantial for many organisations.
In short, apologies for another cyber article, but if you have one business New Year’s Resolution for 2017, make it Cyber Security. You don’t want to be a victim, it will cost you a packet to recover and may bring much unwanted regulatory attention and bad publicity. 2017 is going to be a bumper year for cyber criminals - I think that 2017 through 2019 is going to be “Peak Cyber Crime”, and the good guys will only get the upper-hand towards the end of the decade when our cyber defences become dominated by artificial intelligence systems “fighting the good fight” against the increasingly sophisticated toolkits employed by the dark side.
