Hackers prosper thanks to security’s blurred lines of responsibility
Permanent loss of data. Four words no CIO ever wants to hear, especially in the run up to General Data Protection Regulation (GDPR). But when delivery firm TNT confessed it had lost data in the wake of a ransom cyber-attack attack the reality hit home: Permanent Denial of Service attacks have landed with a thump, warns Andrew Foxcroft, the country manager and regional director for the UK, Ireland and Nordics at Radware.
Of course, TNT wasn’t the only company to have been caught up in a ransom attack this year. Deutsche Bahn, the NHS, Maersk and Telefónica all bore the brunt and the news from TNT must have made them all reach for the panic button and triple check they weren’t going to making a similar announcement.
The brilliance of WannaCry – the attack that affected the NHS last May – was in its simplicity. It exploited the inertia that so many people have when it comes to software updates. Find a device that’s not up to date and you can run havoc with the click of a button.
It also highlighted how few organisations are prepared for the speed at which Black Hat hackers respond to white hat research. Microsoft’s admission there was a weakness gifted hackers an opportunity that was too good to miss. It took very little time to turn around a malicious hack that was capable of not just stopping business but putting one out of business if it didn’t respond rapidly.
TNT lost data, and no matter how awful that is, it’s a lucky escape. They could have lost everything including the hardware.
As security professionals we all know that the frequency of multi-vector Denial of Service cyber-attacks is growing exponentially year-over-year and getting more sophisticated.
But still many businesses are unprepared and therefore unable to defend themselves – around 43% wouldn’t be able to cope with an attack lasting just 24 hours. Any company that falls into this bracket should be worried by TNT’s experience, but fundamentally it raises a question we should all be asking ourselves: Why are we still so unprepared?
The list of reasons is long and generally related to the investment in skill, time and budget needed to deliver complex business transformations, adopt new technology, upgrade systems, or migrate applications to the cloud, not to mention managing the business as usual demands.
But there does also seem to be a gap emerging. Plenty of business leaders know they need to get a grip on security but some are running to stand still. In an era of so much transformation and new technology adoption, something has to give. Budgets and affordable skills simply wont stretch to deliver everything the business wants.
On the flip side, ISPs are offering a service of continuity. They will keep your network capacity running as efficiently as possible, but very few will look after all the security requirements of your business as well.
It’s a strange situation, especially when you consider the ISP sector is the most targeted after finance and government. It’s the perfect domino effect – take down the ISP and you have a gateway to every brand they support. They have to have robust defences in place or they fold.
The lines as to whose responsibility it is are clearly blurred. Many organisations, naturally, want to own security. It’s about ensuring you have the keys to the castle and you can pull the drawbridge up exactly when you need to.
It’s a fair and sensible strategy. These businesses are investing in automated real-time detection and mitigation, and even ex-hackers who can spot the threats and advise on technology deployments to avert danger. They are doing the right thing.
But it prevents them from doing the things their businesses expect, like adopting a new customer management and campaign tool, or rolling out smart meters.
ISPs are also investing in their own security infrastructure. They simply can’t afford to be the one to succumb to a distributed denial of service (DDoS) attack and allow hackers free access to the brands they support.
Perhaps it’s time for a rethink. Time to meet in the middle.
GDPR compliance and Brexit, in the UK, will dominate in the months ahead. They are sizeable distractions and every business will be focused on understanding their implications. Outsourcing the headache of security could be a way to redeploy IT skill onto the tasks that will help the business grow.
That said they need the ISP market to respond. There’s a huge opportunity to deliver a valuable service to their enterprise customers: Defending against DDoS requires not only scale and powerful tools, many of which the ISPs are already using in some shape or form, but it also mandates the implementation of a range of flexible DDoS solutions that can readily adapt to the changing threat landscape and even predict future DDoS threats.
The ISPs have the foundation technology and the know-how. The big question is how soon they will cross the line, as there’s no doubt CIOs will be hoping it’s today.