The world’s most powerful governments, intelligence services and some smart cyber freelancers are on the case of what is probably an organised crime group. Its ransom demands have so far netted a mere $40,000-worth of bitcoins –so perhaps not the most impressive risk-return KPI — though that could yet change. Future attacks may be more discrete and targeted, and equally dangerous, and leave companies to fend for themselves.
Indeed, there were almost 200 high-level cyber attacks in the UK in the last quarter of 2016 alone, and many more in the US and EU, most of which did not hit news headlines. In some cases, organisations are known to have quietly paid large ransom sums to recover their files. They could have reduced the risks with some basic precautions. In an FT opinion piece, Keren Elezari, of Tel Aviv University Interdisciplinary Cyber Research Center, advises companies to update legacy software, install end-point security measures, and, crucially, educate users about the risk of opening email attachments, clicking links or running unauthorised applications.
FT|IE Corporate Learning Alliance’s Cyber security programmes have also strongly warned about employee carelessness. ‘Cybersecurity is not about making machines work better. It is about preventing people…doing mindless things with computers, wittingly or otherwise.’ That means viewing staff as a ‘first line of defence’ rather than ‘the weakest link.’ Companies that remain complacent may soon find it harder to get insurance, and could suffer significant legal and reputational damage. At least they will have Maija Palmer’s cybercrime survival guide to help them through the worst of it.