When I think back to my start in technology as a professional (1990) it was a different time. No, this isn't me just being nostalgic, it really was a different technological period in history. Typewriters were still in widespread use, as were pens and paper, and telephones were still the most common means of communicating with someone not in the same room.
There was also a Telex machine in the corner of our office, which let us communicate with really remote locations, but still over an 'old' analogue telephone network.
Winding forward to today, hardly anyone (if anyone at all!) uses a typewriter, or pen and paper and increasingly fewer people are making calls over what would be a copper telephone network. Some still use pen and paper, but as we've seen in recent times, this has been a fallback option when the technology of here and now is for 'reasons' unavailable.
If you're in the cyber industry, you'll remember 2017 as the year of a thing called 'WannaCry'. This wasn't an original of the species, but it was the first notable and newsworthy example of a thing called ransomware, which went from a niche problem to in a relatively very short space of time a global problem that impacts organisations and their people to this day and every day.
WannaCry was a malware that infected computer systems, encrypted data on those systems and required a payment to be made, in order to recover access to those systems and the data they held. There were two core parts to it - in essence one part doing the encryption and the other looking for another machine to encrypt. And so it played out.
In the UK, WannaCry affected the National Health Service (NHS) quite profoundly, with hospitals being hit the worst and also frontline care centres. We started seeing early reports of GP / MD surgeries having to resort to using pen and paper. I may have mentioned this earlier in the post.
The UK recovered without any recorded examples of material harm to people being caused, but in another incident of a similar nature playing out in Germany, a critical patient lost their life because the primary hospital they were being taken to couldn't receive them, due to systems being unavailable because of ransomware. The patient was taken to a second hospital but sadly passed away en route.
So, with this, we start to see the kinetic effects that are in play, in this cyber battlefield.
At a more practical level, we see ransomware act as more of a lever to separate organisations from their money. This is the most common modus operandi and has now become the 'weapon of choice' for criminals that no longer feel the fun of donning a stocking on their head and running into a bank with a pistol and shouting at people.
The reason? The cost barrier to entry is far lower, the risk of being caught is minimal and frankly, if you're determined enough, it's dead easy to do. Oh and by the way, many nation states turn a blind eye to this kind of criminality in their lands, as long as a fitting tribute (cash) is paid in response. Some countries even use cybercrime to support their GDP. That's where we are, folks.
If the above has painted a picture, then that was the purpose. Not to freeze you into inaction or make things out to be more or less stark than they are. This is the reality not just we as cyber professionals now live in, but the reality organisations do too, and it doesn't matter if you run a small chain of coffee shops in downtown Winnipeg or a national, or even international firm - you're fair game to the crooks, like a person wandering down an unfamiliar street in town getting mugged. The criminals don't care what profile you fit, if you have something they want. Your wallet, phone or smart and expensive sneakers. Whatever.
So, what can you do about it? Well, the answer is "lots". Limiting risk starts with understanding what that risk profile looks like. And not to over simplify it, it's kinda like "What keeps me awake night as a business leader or senior manager?" It could be data loss, brand damage, regulatory penalties and even company closure (yes, some firms have disappeared out of existence as a consequence of cyber crime).
Why does that happen? They don't know what their risk model is, nor their threat model and so can't do anything about it. Some simply plug their ears with their fingers under the assumption or more accurately misapprehension that "The crooks won't target us, we're insignificant in the grand scheme of things" (wrong), and other firms simply don't think about it at all.
When you run a company, you're likely extremely busy and also preoccupied with what that business is there for, so be that a dental practice, the aforementioned coffee house chain or whatever. It's unlikely your cyber security posture is front and centre of your thinking and we get that over at Octopi. And that's where we can help.
We can help by providing you with an assessment of what your posture looks like through what is effectively a gap analysis of where you are right now on your journey to good security and where you need to think about doing more or doing things differently.
This will provide you with a rich plan that you can then deploy into your organisation to help you avoid being on the wrong side of a cyber bad day, week month or year. And the great news is that not only can we give you that roadmap, we can assist you along it.
If you'd like to know more, get in touch via our contact form below.
Thanks for reading.
The Octopi Team