The High Costs of Low Concern
We drive around a lot, sometimes with our laptops and other job-critical assets in our cars. Would you ever leave your car unlocked while you’re grabbing your coffee? What about at work? The answer is likely no because you know the security risk in leaving your vehicle unlocked day to day. So why do so many not apply this security thinking to the organizations we manage or work for?
Kaspersky Lab has released a report about external threats and exploits to their clients that covers the last seven years and the report is not optimistic for corporate users. In the past two years the amount of people who faced an exploit increased by 28% reaching 690,557 users across their corporate clients who encountered an exploit. The report had a primary takeaway: Keep your systems up-to-date! Sounds very simple, but the reality is never really so straightforward. It’s a bit like leaving your car doors wide open for thieves to have a free-for-all. Let’s explore why the investment for an up to date system is worth it and the high risks with business-as-usual.
In Kaspersky’s report, of those who did encounter an exploit, 27% of the time it was the zero day Stuxnet LNK self-replicating worm. This worm exists in USB sticks exploits the vulnerability in shortcut link images (LNK files). Someone using an infected USB drive would not be aware of what they are carrying. The exploit was patched and secured by Microsoft in March 2015 however for systems that are not updated the Stuxnet worm is a very real and active threat. So you may ask yourself who uses outdated systems? Well according to analytics company Statcounter about 5.3% (StatCounter, 2017) of PC users are using Windows XP, which translate the hundreds of millions of outdated machines. Some of these users include healthcare industries, U.S. Military, Department of Education, retailers, and even NASA. With an outdated machine comes outdated browsers, software, and antivirus. This means there are layers up layers of vulnerabilities for users with outdated systems running. On Microsoft’s own blog they warned about out of date systems. Attacks on older systems has become so bad that Microsoft even released a ransomware patch for Windows XP users.
A very recent case study showing why operating on unsupported systems is bad practice comes from the National Health Service (NHS) of the UK. On May 12, 2017 the NHS was affected by a global cyber security attack with “ransomware”. This type of attack encrypts all of your files on your computer or server and then demands payment to decrypt it all, if payment is not made in a specified amount of time the files are all deleted. The attack targeted out-of-date windows systems and was able to infect 57,000 devices in 99 different countries. Such a prominent government agency being vulnerable raised a lot of questions about the UK’s ability to keep its systems secure. After much finger pointing and blaming it was found that the NHS was operating on Windows XP which had not been supported since 2014. With management and government not taking information security seriously it left the NHS vulnerable. Management did not heed warning from Microsoft in March, and in 2015 Defense Secretary, Michael Fallon, only allocated 2.6% of the £1.9bn cyber security budget (£50m) to the NHS to upgrade all systems to the most modern systems. Treating information security as an afterthought has cost the NHS and the government of the UK a lot of money and may have even cost lives due to the attack.
Accountability, is the keyword here. In the example above financing upgrades was a part of the failure with the NHS and UK government, upper management essentially. Who exactly should feel responsible in the event of a data breach? Executives sure don’t seem to feel it’s them. In a survey conducted by Nasdaq and Tanium the results were startling. A shocking 90% of executive respondents said they cannot read a cyber security report and would not know how to respond to a breach. In addition to that 40% of executives said that cyber security is not their responsibility. These were major publicly traded companies around the world. This attitude of not taking responsibility is fading away however. It seems that boards are requiring some incoming CEOs to have knowledge of information security and the risks that come with ignoring it, according to IBM cyber security Strategist Kevin Joseph.
Executive Commitment & Responsibility
What does it take to shift perspective and enable the cyber-security committed CEO and Board. Accenture has outlined what Chief Information Security Officers can do to catalyze this mindset. The most critical aspect here is that the CEO and Board are not just aware, it is that they are engaged and take responsibility for the risk of a data breach. The quickest way to get this to happen is to perform the following:
- Contextualize cyber security into the context of business strategy and risks.
- In all cyber security communications always discuss business impacts upfront
- Have the C-Suite and Board engage in cyber security breach drills. Build in a reflex of response through these drills.
If executives and the Board are not committed to cyber security then underfunding can have a dramatic impact on keeping systems current. With software falling out of support very often and the transmission of sensitive data to clouds and mobile devices. It becomes a major security risk to not keep systems current. It is not enough to simply have an antivirus, software, browsers, and operating systems must have the latest security installed. If you’d like to keep your corporation safe from these types of attacks. It is worth the struggle through internal politics and bureaucracy to make sure systems are up-to-date for your organization as a whole. Not doing so places the private data at risk to attacks like the one described above. As Kaspersky’s report recommended keep your systems up-to-date!