The sinking feeling as you open the door to the office only to hear silence as everybody stares disbelieving at the news of a hack on your company is, unfortunately, becoming increasingly common for IT security executives around the world. We are only just half way through 2017 and we have already had the WannaCry attacks which impacted 57,000 computers in 65 countries, an attack on Grozio Chirurgija that released intimate pre and post-op images from a cosmetic surgery clinic, Chipotle customers had their credit card details stolen, Disney had one of its films stolen (reportedly the latest Pirates of the Caribbean movie) and Emmanuel Macron’s party was hacked on the eve of the French elections. These are just the tip of the iceberg in terms of the total number of attacks this year, the full numbers are yet to be released, but given that in the first half of 2016 there were 554,454,942 records compromised, it woul1d not be a push to think this number had been exceeded.
Undoubtedly the most shocking attack that had the widest ramifications was the WannaCry attack - a ransomware attack that impacted thousands of computers including in the NHS in the UK, where doctors were locked out of their computers, surgeries were canceled, and medical records were inaccessible. It was a huge scandal and came at a time when spending on public services in the UK, like the NHS, was under the spotlight and the Conservative government were roundly criticized for the years of austerity that had led to declining funding in the health service.
According to David Evans, Director of Community & Policy at The Chartered Institute for IT, ‘Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the WannaCry ransomware virus was an inevitability.’ It was only down to one cyber security expert who noticed a kill switch in the code that stopped the attack if a certain URL went live that stopped the attack being even worse than it was.
However, this is not just an issue for underfunded public services, but is an issue for the wider business community too.
Data security teams cannot be run in the same way as traditional business units where budgets can be decreased if the business has a bad year. If you cut the budget of a marketing team, you may be less effective in spreading your message, but it won’t destroy the company. If you need to make a redundancy in your sales team, you may lose a few sales, but you won’t receive universal condemnation in the media.
The equipment that most departments use is often also updated maybe once every three years, with the biggest expenses coming during implementation. With data security the implementation may be a little higher, but the reality is simply that whereas the majority of business units work to maximize opportunities, data security aims to reduce constantly evolving business threats. So where cutting budgets elsewhere may result in fewer gains, cutting budgets in data security could result in significant loss.
This is therefore a difficult decision to make for many company leaders, after all, their job is to make money for the company, something that ultimately data security doesn’t do. If they cut a salesperson, for instance, they know that they will probably reduce profits slightly, if they cut from data security they know they won’t but will ultimately leave them more at risk of losing significantly more. Unfortunately we have historically seen the former winning out.