Know when to hold, know when to fold

When it comes to ransomware, security consultants and law enforcement have always advised victims not to pay up. That’s understandable, since paying effectively rewards criminals for committing crime. But just as hard cases make for bad law, there are times when organisations have no choice but to part with their money. Either the cost of the resulting downtime is too high to bear, or they have no other way of recovering their data. And now, even the FBI has softened its stance. Having always advocated a no-pay approach, its latest guidance acknowledged that sometimes it’s the only option. 

Insurance won’t necessarily cover the cost, either. Just ask Norsk Hydro. Its most recent financial statement disclosed that amounted to a paltry 6% of the cost of ransomware. MORERansomware doesn’t look like it’s going away any time soon. As Emsisoft noted in its blog, 621 US government entities suffered an incident in the first nine months of 2019. We advise always checking Nomoreransom, the independent website run by law enforcement and industry, which regularly updates with new fixes to decrypt infected systems. 

Patch Tuesday? How about every day

Interesting side-note from recent Sophos research into the WannaCry ransomware: there are still a *lot* of unpatched systems out there. How do we know? Because WannaCry doesn’t even try infecting computers if it knows they’re patched. So by inference, the 5 million infection attempts that Sophos tracked over three months between October and December 2018 were against unprotected devices. 

Now remember that the security hole WannaCry exploits, was fixed two months before the first infection hit. “In other words, the world is awash with computers that haven’t been patched for well over two years,” Sophos wrote. Ouch. (FYI: there are now around 12,000 variants of WannaCry in the wild.) In related news, ServiceNow found that most breaches in 2019 happened because of unapplied patches. Meanwhile, research from Veracode found that the longer a security flaw exists, the less likely it’ll get fixed. It arrived at this conclusion after analysing more than 85,000 applications across more than 2,300 companies worldwide. 

Life’s a breach

Whenever a breach happens, we tend to focus on the scale, the amount of data lost, or how many individuals were affected. What’s been mostly hidden until now is an account of what a breach looks like from the inside. Few coalfaces burned hotter than Equifax, which lost over 150 million records to cyber criminals in 2017. The breach ultimately cost the company more than $700 million, while several senior executives lost their jobs. 

Now David Rimmer, who was the company’s Europe CISO, has revealed the demoralising personal impact of managing the breach. In a long interview with the BBC, he said: “Companies need to recognise when they do planning exercises for security breach responses that they have a duty of care to security employees. Bringing in third parties or throwing money at the problem doesn’t help – it exacerbates the problem by increasing the workload on the same staff… Equifax spent millions responding to the breach, but that turned into people from the security team working overtime, on 36 hour shifts, and that’s the hidden cost of the breach that no one has gotten near to quantifying so far.”