Security is a state of mind

The world is open and vulnerable to attack.  That’s the message which every business and every individual should take away from the ransom-ware attack which took down hospitals, educational establishments and businesses across the globe. 

According to Europol, at the time of writing (15 May) there have been more than 200,000 ‘victims’ worldwide as a result of this one cyber attack; with authorities working hard to restore services and prevent further variants of the virus from getting through.  So why have so many larger businesses and institutions been affected and yet many small businesses and individuals have been spared?

First of all the virus exploited a vulnerability in Windows operating systems; from XP up to (but not including) Windows 10. That means that all those individuals and businesses who took the free option to upgrade to Windows 10 or who bought computers recently were safe from this particular attack.

Then there is the question of automatic security updates. Individuals and small businesses are far more likely to have set their computers to accept all these updates as they come through. So when a patch was sent out by Microsoft in March, it automatically closed the loophole, thereby protecting computers.

This left two particular groups vulnerable to this cyber attack. The first were owners of computers which ran operating systems which were no longer supported including Windows XP, Windows Server 2003 and Windows 8. Continuing to run unsupported software is always a risk. However, we understand that Microsoft have now taken the unusual step of making a patch for these systems available for download on its website.

The second vulnerable group were those businesses and individuals which had taken the decision not to automatically install security updates. Particularly in large organisations running multiple complex systems, it has in the past been seen to be good practice to test the effect of any updates on the system to ensure that it does not create a conflict with existing programs before setting it live. This is a practice which now may need to be reviewed, or at least given a far higher priority.

Regardless of this, cyber crime is a clear and present danger and one which is not going to go away anytime soon. All it takes is one individual clicking on an email or responding to a seemingly innocuous question and security can be compromised. That’s why the first line of defence has to be to instil a security state of mind in every individual within an organisation. Without that, you can have all the backups you like, you can have an extremely robust business continuity plan, and still leave your business vulnerable to attack.

In fact, business continuity plans (risk plans) are a good case in point. It’s all too easy to see the production of the plan as the sole endpoint in the process. However, production of the plan can provide multiple opportunities to identify and mitigate against risk. So for example you may look at the replication of telephone systems, at the instigation of closed information lines and redirecting calls as part of business continuity process, without learning any lessons about existing vulnerabilities in the process.

On the other hand if, as part of your review, you identify the fact that telephone extensions aren’t adequately PIN protected, or that programmed telephone transfer protocols could result in external calls being seen as originating within the business; you have an ideal opportunity to immediately strengthen security and mitigate against risk. After all business continuity plans are designed to get the business back on its feet as quickly as possible whilst disaster strikes, and what better way to do that than to stop disaster happening in the first place.

The recent cyber attack has shown us all how potentially vulnerable businesses can be to a worldwide threat. Putting security at the forefront of everyone’s mind, planning and mitigating against threats may not provide a complete answer but it will certainly help to secure the business against those seeking to exploit vulnerabilities.

Written by Alison