Last week’s ransomware attacks were aimed at vulnerabilities typical of big enterprises and government bodies, but the true impact was felt by consumers – cancelled trains in Germany, people forced to pay cash for petrol in China, missed hospital appointments in the UK, the list goes on, with poor user experience and damaging trust the result.
While the WannaCry attack was upon a very specific desktop vulnerability, the possibility of similar attacks on other operating systems, the media coverage and the effect on consumer’s perception of digital safety hold lessons to be learnt. We asked what can mobile tech industries can do to better prepare for similar attacks and protect consumers…
Rimma Perelmuter, CEO, MEF
The global ransomware attack highlights the importance and challenge of guaranteeing network security and how service disruption can be costly and inconvenient.
Yet, the headline-grabbing shock and awe surrounding the incident underlines something far more basic – that building trust around how our sensitive and personal data is handled by everyone from healthcare institutions to brands and businesses is paramount.
It follows that building consumer trust around our data is fundamental to driving engagement and creating long-lasting valued relationships with today’s patients, consumers and citizens.
The attack showed that security comes first and is sacrosanct for building trust. Equally, individuals will hold public and private institutions accountable when it comes to safeguarding their personal data and building transparency around usage is key for addressing the consumer trust deficit.
It’s hard to imagine big institutions and enterprises making these improvements overnight but we are already beginning to see the seeds of change. Companies that operate within the Personal Data Economy (PDE) are giving control of data back to consumers, allowing them to privately control access to and manage their personal information.
Of course, there is still a need for networked data systems through our big institutions. Appointment booking platforms within the NHS for example need necessarily to operate in this way. But if control of personal data was the responsibility of the most trustworthy network node – the individual – the fear of data uncertainty would be diminished.
David Poole, Business Development Director, MYPINPAD
Ransomware, phishing, credential reuse, and numerous other types of cyberattacks are exponentially growing in volume, frequency, sensitivity and impact.
In fact, the likelihood of a material data breach involving 10,000 lost or stolen records occurring in the next 24 months has risen to 26%
Consumers’ payments details and banking accounts are among the most valuable pursued targets. However, it is not just banks who are the main bullseye for attackers; retailers are also becoming increasingly popular targets. In the US, it has even become the sector that most cyberattacks experienced in 2015.
Consumers are increasingly concerned about their online and mobile security and want stringent authentication processes to proactively keep their data safe. The regulators want the same. New regulations, such as PSD2 and EBA’s Regulatory Technical Standards are demanding strong consumer multi-factor authentication to stem the unprecedented levels of payment fraud occurring online.
Both banks and merchants could better protect consumers through the secure use of card PIN in a secure digital format when making an online payment. This proven, familiar and trusted authentication factor can help keep personal information safe from fraudsters whilst allowing greater sales and transaction volumes.
Nathan Kinch, Head of Ecosystem Value and Growth, Meeco
Strong security and privacy practices must become industry standard. We must embed these principles into value proposition, product and business model design processes from the outset. They can’t be afterthoughts.
The way to meaningfully do this is to change the landscape. We need to give people and organisations the tools to privately and securely share access rights to the right data at the right time. We also need to create real value in the short-term to incentivise adoption of these approaches.
Distributed data architectures inherently decrease the risk of certain data breaches. Make people – (the data subjects) – the point of integration and a source of truth. New technologies such as Meeco’s dual-sided personal data platform enables this optimal approach.
Rafael Pellon, Partner, FAS Advogados
The latest global scale attack only highlights the obvious to many of the tech industry, our world got to connected to be left without proper oversight. This was just one big reminder of it and points to the fact that we, as a society, lack the proper tools to implement and monitor this global village.
As big as global tech companies might seem at first hand, they’re not omniscient to put every device they make with the most updated security versions every week. And even if they could do it, lawmakers would scream right back at such endeavor with (correct) fears of the surge of a big brother. A global one.
So it seems it’s past the time for governments and tech behemoths alike to work together (as Mr. Harari proposes) on proper guidelines that establish the occasions where security trumps liberty, create better security update tools and also communicate better along the way.
It’s past the time tech companies start to look at governments at their allies, and vice versa. It’s past the time lawmakers create playbook on how to resist and respond to such attacks. It’s past the time that citizens demand more care with network, that is global and not multifaceted as we were led to think in the recent past.
Tristan Nitot, Chief Product Officer, Cozy Cloud
We need to remember that the WannaCry ransomware was made possible because the NSA (US National Security Agency) has created a cyber attack tool called EternalBlue based on a bug in Microsoft software. The NSA could have chosen to communicate the bug so that Microsoft would fix it and make users more secure. The NSA decided not to.
Then NSA has got the EternalBlue tool stolen from them. Hackers leveraged the leaked EternalBlue tool to create the WannaCry ransomware. This proves that even the most funded US agencies can’t keep a secret secret. At the same time, the same government officials are advocating that strong encryption should have “golden keys” that would be handed to government agencies. Those in possession of such golden keys could decrypt data easily.
But we’ve seen over and over — and the WannaCry scandal is yet another proof — that the government cannot be trusted to keep such keys secret. These keys will eventually become compromised; then digital security will be gone for ever. No more secure banking, no more trust in computers, the world’s economy will grind down to a halt. Overall, the WannaCry cyber attacks proves one thing: we, as an industry, must stay strong and refuse compromises with regards to encryption strengths.
Julian Ranger, Founder and Executive Chairman, digi.me
This attack made brutally clear the loss of control that we all have over our personal data, when instead of holding it ourselves, it is held in giant siloes controlled by others. These giant honeypots are inevitably attractive to hackers, and the solution to protecting consumers must start with decentralising them.
Giving users back their data not only gives them more control over what happens to it, it also means in situations like this there is a second copy of this data – and so the overall attack is significantly less disruptive.
If we each had a copy of our own health data, the impact on the UK’s National Health Service would have been minimised dramatically. Anyone turning up for treatment or an appointment could have shown the relevant diagnostic and prescription history, enabling further action to go ahead.
And this is not just talk of a brave new world – it’s on the cusp of reality, within a new version of our digi.me app which is about to be released.
The world will never be free of those who want to cause mass disruption, but we can take away a great deal of their power if we control our own data.
David Emm, Senior Security Researcher, Kaspersky Lab
It all begins with education, awareness and reinforcing the understanding that cybersecurity is very much a process, requiring constant attention and vigilance. As an industry, we have a responsibility to our customers.
That means safeguarding their data and ensuring that they are not exposed to undue threats. It also means ensuring we can deliver on our promises – supplying services and products that work the way they are intended and are accessible whenever they are expected to be.
To achieve this, it’s a three step process:
- Building security in from the very early development stages of a project, product or service – not as an afterthought. Technology should be fundamentally and intrinsically secure.
- Ensuring you have the right predicative and preventative technology, detection systems and response processes in place to thwart attacks and mitigate any damage that a successful attack inflicts – be it the theft of confidential data, shutting down systems or causing technology to not function as intended.
- Ensuring IT security teams are staying up-to-date with the latest threat intelligence, best practices, and ensuring all employees are adequately and regularly trained in cybersecurity hygiene.
But not all of the responsibility rests with the industry. It’s a two-way street – consumers also have a responsibility to keep their technology and online interactions secure. As an industry, this means, we also need to continually educate consumers about the importance of cybersecurity and safe online behaviours.
Pascal Geenens, Radware EMEA security evangelist
Like water, cyber ransom threats tend to take the path of least resistance. When thumbs are stuck in the dike, new holes appear where the foundation is weakest.
Therefore, the key to thwarting cyber-ransom threats is a strong foundation. To safeguard your organisation, make sure employees feel that they can ask questions and be proactive. Employee education is the first, and perhaps, most important step in reducing the risk of cyber threats – whether your organisation has been the target of an attack or not.
Take an action-orientated approach. Cyber-ransom is one of a myriad of threats any organisation now faces. Given the complex threat landscape, there are simply no “silver bullet” security solutions.
When it comes to cyber-ransom, experience has shown that paying a ransom often leads to prolonged or repeated attacks. A better strategy is to turn the economic tables on attackers by making the business a more difficult target through strong security posture.
Thomas Fischer, threat researcher and security advocate, Digital Guardian
Attacks of this kind have been happening for years. One of the first lethal demonstrations of a well-crafted worm based on a zero day was the infamous SQL Slammer. Back in 2003, it set records by infecting 75,000 servers in 10 minutes. These cyber attackers don’t break software, they merely demonstrate that it is already “broken”.
Unfortunately it seems we are either quick to forget, or don’t learn from these past experiences. After all, the recommendations remain the same. Companies must adopt a “patch early, patch often” mantra. They also need to regularly review system settings and disable unnecessary services that may leave them open to attack. Keeping IT systems constantly updated and free from known vulnerabilities is absolutely essential.
Cyber groups have an arsenal of tools at their disposal to break down the doors of a network, be that to hold data to ransom or to steal it outright. It is inevitable that hackers will, at some point, breach a network. In this case, “data aware” technologies can help to prevent hackers walking out with the crown jewels under their arm. Keeping customer data safe doesn’t take a huge investment, it just takes a smart one
Tony Anscombe, Global Security Evangelist, ESET
Consumer trust in cyberspace is a essential for the evolution of the digital age. WannaCry used a known vulnerability in Microsoft Windows; the National Security Agency apparently knew about it, someone leaked the details and the cybercriminal took advantage of the situation by unleashing a global ransomware attack.
Why does the criminal behind WannaCrypt only accept payment with BitCoin?
Bitcoin is often regarded as an anonymous currency because it is possible to transact without giving any personal identifying information. True anonymity may be impossible but it is reasonable to say it’s pseudonymous.
With virtual currency there seem to be no – or very limited – requirements to validate people registering accounts. This is in complete contrast to the regulated financial industry. Making virtual currencies, such as bitcoin, an ideal solution for criminals, fraudsters and terrorists to use for storing and moving their funds.
Now would seem an opportune moment for Governments and Regulators to impose requirements on virtual currencies. It could possibly prevent the next major cyber-attack.
Luis Francisco González, VP of Business Development, ElevenPaths
Current attacks come in two guises, advanced persistent threats that target specific organizations or individuals and use stealth as a way to reach their objectives and non-targeted attacks that try to affect as many people as possible.
The first group is, in principle, scarier for enterprises and governments: when they affect people, it is in relation to their responsibilities in those organizations that are the real target.
The second group plays the big numbers by infecting massive amounts of people and organizations with the expectation that even a small percentage of victims can result in large winnings.
Ransomware belongs to the second group. It is relatively safe for an attacker as it is difficult to trace and even more difficult to prosecute. However, to a consumer it produces substantial damage as the information at risk is of a highly personal value. WannaCry added a weaponized method of self-propagation, making it even harder to be protected.
In any case, it is still true that 100% protection does not exist but good habits go a long way: keeping up-to-date with patches learning not to accept email communication at face value but, rather, remaining vigilant as it is easy to confuse people into accepting scams. As an industry, we need to work on making security as transparent and easy to use as possible as complexity makes life difficult for consumers.