20
Sun, Aug

Ransom notes

Are you vulnerable to cyber attack? You may think not, but Walter Hale writes why you may need to change that thinking if you don’t want hackers holding you hostage.

One lunchtime, an engineer at the British chip designer ARM decided to see how many security cameras he could hack into. By the time he went back to work, he had managed to access 1.2 million of them. To prove the point that everything with a chip in it could be hacked, his colleagues at ARM later broke into the system of a 4x4 car.

Let’s think about that for a minute. Everything that is digital can be hacked - so not just computers and email, but TVs, smartphones, cars, even heart pacemakers. (This might sound like science fiction but the US government was worried enough to issue new security guidelines to safeguard these devices.) For businesses, the threat can come from anywhere: 110m customers of the retailer Target had their personal information compromised after hackers broke into one of its servers via its air conditioning supplier. And the spread of the Internet of Things (see IR Aug/Oct issue 2015: http://www.imagereportsmag.co.uk/features/technical/on-the-radar/6432-iot-the-mother-of-all-mis) will exponentially increase that threat.

Given that WikiLeaks seems to be able to break into the systems run by the CIA - the world’s largest intelligence agency - whenever it feels like it, it might feel like there’s not a lot of point in trying to protect yourself against cyber crime. It sounds expensive, time consuming and, besides, who’s going to hack into a wide-format print business anyway?

As Target’s experience suggests, that reasoning is deeply flawed. You may be a target - excuse the pun

- not because of your own business but because of the companies you are linked to. Realising that big companies are more likely to have state of the art cybersecurity technology, smart hackers analyse supply chains looking for the weakest link. Just imagine the damage they could do to your reputation - and business - if they used your systems to reach your largest customer to steal their data, disrupt their operations or to paralyse their business until a ransom is paid.

The idea of holding companies to ransom might sound like a plot from ‘Mission Impossible’ but it is happening with disturbing regularity to all kinds of businesses. Earlier this year, luxury Austrian hotel Romantik Seehotel replaced its electronic key cards with old school locks and keys after hackers immobilised its systems, effectively locking guests out, until a £1200 ransom was paid in bitcoin. The long and varied list of victims of this new kind of cybercrime includes the Singapore defence ministry, a hospital in western Germany, several police departments in the United States and Lincolnshire County Council. Surveys suggest that many British businesses have already suffered such attacks, though few have gone public.

With cyber ransoms - as with cyber crime in general - prevention is the ideal. Yet, as Jennifer Agate and Alice Mendonca, experts at the legal firm Farrer & Co, suggest: “Given the growing IT sophistication of hackers, mitigation may be the more realistic option.” A strategy to mitigate the threat would involve investments in the relevant technology, a contingency plan to deal with an attack - something which, surveys show, 20% of British businesses don’t have - and an internal education programme to make sure that staff understand the risks.

It is important too that when the authorities do step in - be they the police or the Information Commissioner’s Office, which can impose some hefty fines - that you can show that you took reasonable precautions to protect data, especially personal information and that you acted swiftly and responsibility as soon as the breach was detected.

One way of tackling this issue is to make sure you are complying with security regulations. This can mean you spend a lot of time ticking boxes, many of which have nothing to do with your business, but you can find good advice. Compliance is part of such standards as ISO 27000 where the CEO has to sign a document ensuring confidentiality and integrity and, if these pledges are broken and the company is attacked, they can end up in court. That prospect, as distant as it might feel, does tend to concentrate the mind. The UK’s Information Security Systems Association is developing an even tougher standard, ISSA5173, specifically designed to help small businesses become more secure.

The reluctance to invest in cybersecurity is understandable. It remains a “grudge purchase” because it is very hard to quantify the return on something that doesn’t happen. Yet print service providers cannot afford to neglect this issue. Just one bad attack can erode - or destroy - a customer’s trust. It can also, let’s be honest, look technically clueless. Would you place an order with a digital print firm that can’t protect its digital data?

The good news is that you can afford to reduce the threat. There is a range of options on offer, depending on the size of your business. Security provider Comodo offers free and reasonably priced solutions that will, for example, prevent malware from entering your networks. Small businesses can also get certain protection - firewalls, internet security and anti-virus software - for free. ESET lets you choose from a variety of bundles according to what devices you want to protect (computers, mobile phones, USB drives, networks and servers).

There are also more specialist solutions - CradlePoint NetCloud Engine will help you securely ‘virtualise’ your networks; Lookout Mobile Security protects your phones and tablets; CloudFlare will defend your website; Random.org generates passwords that are harder to guess than such perennial favourites as ‘password’ and CSID safeguards the identity of your business. (Yes, companies can have their identities stolen, not just people). Some companies, like Symantec, also offer packages designed to suit a small business budget. That said, their idea of a small business budget might be very different from yours.

Whatever your budget is, it is safe to say it will be finite so you will want to assess your risks and invest accordingly. For some, investment in the Cloud may be the answer, although cybersecurity experts differ on how secure this is. Those who favour the Cloud argue that as it is run by companies like Microsoft, which as they regard protecting data as mission critical, are likely to invest in the latest defences against cybersecurity. Yet others are troubled by the lack of clarity about who precisely is responsible for security on the Cloud.

The Cloud is a useful reminder that the threats to cybersecurity are constantly evolving. Phishing attacks are now almost routine, but too many organisations don’t discuss how to mitigate them by opening email carefully and not following links. Malware is becoming much more sophisticated - if Google’s systems can be compromised, as they were in 2010 in an attack known as Operation Aurora, can any business be safe? One of the more disturbing recent trends is revenge hacking - it’s not that difficult to annoy someone enough to make them want to attack you.

The importance of secure communication is still not widely understood. We text because it is quick, easy and effective - 98% of texts are opened compared to 20% of emails - and don’t even consider whether the message should be secure. Often, in a world of Bring Your Own Device (BYOD), we’re using the same phone we do in our personal lives. Protecting these texts isn’t difficult - even WhatsApp would offer some level of protection, while an app like Signal uses its own platform to ensure end-to-end encryption - but someone needs to make the call.

You would have thought tech giants such as Facebook (as the owner of WhatsApp) would have this covered but they don’t. An article in the ‘Wall Street Journal’ last December revealed that the company’s move to change its capital structure was “tainted by secret text messages and meddling from financial advisers that pointed to a process rife with conflict of interest”. The same month, in the same paper, it was reported that VW had, according to US authorities looking into the emissions scandal, effectively lost or ‘bricked’ 23 mobile phones that could have been relevant to the investigation.

The lesson here is simple: if you don’t want information to be in the public domain, do not write it in email or texts that linger in any way. Granted, a print service provider is unlikely to have material that could interest Julian Assange or the BBC News but you never know what might prove useful - or lucrative - to a cyber criminal hacking into your texts or emails.

Cybersecurity is a risk you need to assess, but it should not become an obsession. The key is to distinguish between what you can control, and what you can’t, and invest time and money accordingly.