The following is a paragraph from a lead story in the New York Times on the recent global cyber attacks.
SAN FRANCISCO – Hackers exploiting malicious software stolen from the National Security Agency executed damaging cyberattacks on Friday that hit dozens of countries worldwide, forcing Britain’s public health system to send patients away, freezing computers at Russia’s Interior Ministry and wreaking havoc on tens of thousands of computer elsewhere. New York Times, May 13, 2017, p. 1
It should be a nightmare for all who have not secured their systems and data. An estimated 600,000 plus computers attacked in over 150 countries should get our attention. The details of the attack, against patients, hospitals, government entities, businesses and ordinary citizens, are chilling.
It is important to realize that we are all vulnerable to these kinds of attacks. The phishing software is easily available as are the viruses developed by the NSA and others. And while it used to take some pretty high technical skills to be a malware hacker, experts are very clear that these days you don’t have to be a computer expert to be a computer thief.
Ransomware is not rocket science. Hackers send their malicious software by email to a target (or thousands of them). The email contains what appears to be an innocuous attachment that, when clicked on, allows the malicious software to infect your computer system by encrypting your data so it is not accessible. The hackers then ask for a payment, usually in Bitcoin, in exchange for unlocking your data. If all goes well after making the payment, you can access your data again.
Assessment of your cyber exposures is the absolute rock bottom requirement in beginning to protect your data and systems. This assessment should inquire into the organization and structure of your IT systems, their security, the training of your employees (over 75% of data breaches are the result of employee negligence and sometimes malfeasance), your auditing of incoming and outgoing data, and the overall ability of your systems and employees to prevent these kinds of successful hacking and ransomware attacks.
There is no guarantee that any process will absolutely prevent a malware attack. But if you assess your system and operational cyber vulnerabilities and take the necessary remedial action as a result of the assessment, including addressing the exposures in your use of devices attached under the general category of the Internet of Things (lighting, scheduling, access, and the like), you will have greatly reduced the potential for an expensive malware attack.