Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Getting a good night’s sleep is now a little harder. The ransom payment is the least of your worries. And what is appropriate security anyway?
This week’s action: Check that Windows is being kept up to date.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: Getting a good night’s sleep is now a bit harder
A cyber attack on the website of Emma, a German manufacturer of mattresses which operates online across 18 countries, has resulted in the credit card details of its customers being disclosed to the attackers. The attackers were operating on the site for almost two months earlier in 2022, before the issue was discovered.
The attackers used the same MageCart vulnerability that resulted in the British Airways website exposing the credit card details of 40 million customers in 2018, and for which it was fined GBP £20 million.
One customer [..] said: “Apparently getting a good night’s sleep means you now might not get a good night’s sleep.”
2: Ransom payment is only 15% of the total cost of a ransomware attack
“Researchers [at Check Point] analysing the consequences of a ransomware attack include costs that are roughly seven times higher than the ransom demanded by the threat actors. This includes the financial burden imposed by the incident response effort, system restoration, legal fees, monitoring costs, and the overall impact of business disruption.”
The researchers also identified that attackers seem to follow a specific pattern when deciding the size of their ransom demand, and many may base their demand on the organisation’s annual revenue. “According to Check Point’s analysis, the ransom demand is typically between 0.7% and 5% of the victim’s annual revenue”. The research suggests that professional services firms (such as law firms) are at the upper end of that scale.
So, let’s do some “back of the envelope’ maths: If your business suffers a ransomware attack, the ransom demand may be 5% of annual your revenue and this ransom is 15% of the total cost of the attack. So, it suggests that an attack could cost you (beep, beep, boop, boop).. about 33% of your annual revenue.
Add in the immediate emotional distress of dealing with the fallout and the longer term reputational damage, and it might motivate you to take a look at your cyber defences.
3: What is appropriate security anyway?
I attended a Data Protection event earlier this week, and the phrase ‘appropriate security measures’ was repeated throughout the day. It’s not surprising because it mirrors the terminology used in the text of the GDPR legislation. And if an organisation finds itself on the wrong side of a regulatory sanction or court case arising from a cyber attack, the phrase is also likely to appear, with the organisation accused of lacking ‘appropriate security measures’ that could have prevented the attack.
But what is appropriate security?
In a recent blog post, I talk about the elements that influence the definition of ‘appropriate’, because what is appropriate for you may differ from other organisations. And while I can’t answer the question without knowing these elements, I can certainly tell you what inappropriate looks like – For example, untested backups, unproven assumptions about your staff’s awareness, or unproven assumptions about what exactly your IT MSP is doing to keep you secure [HINT: They are probably not doing as much as you think they are doing, but that’s not necessarily their fault].
At a data protection conference earlier this week, Graham Doyle of the DPC mentioned that 42% of all complaints received by the DPC last year related to people complaining that organisations were failing to provide them with a copy of all their personal data when asked to do so. Such a request, called an Access Request, is a basic right that existed before GDPR. Doyle commented that the DPC will review these complaints when deciding who to audit, because if an organisation cannot comply with this basic obligation, it is probably a sign that there are other data protection problems in the organisation.
How you do anything is how you do everything.
2: USD $1 billion
The FBI estimates that $1 billion dollars has been stolen from 24,000 Americans in 2021 as a result of cryptocurrency scams.
An FBI spokesman said “criminals seeking crypto don’t need to think outside the box. ‘Oftentimes it’s really traditional scams and schemes we’ve seen for years just perpetrated with a sort of cryptocurrency twist’”.
Old scams in the new world.
1: Check Windows is up to date
One of the basic security measures required in any organisation is to ensure the versions of software in use are being kept up-to-date.
This week, I’ll focus on the Windows operating system. Microsoft usually releases security updates for Windows on a monthly basis, and usually on the day called ‘Patch Tuesday’. This falls on the second Tuesday of every month, so May’s Patch Tuesday was earlier this week.
It may be too early to expect May’s updates to be installed on your Windows devices, but all of the updates up to April 2022 should be there by now.
You can check which updates have been installed on a Windows 10 device by doing the following:
- Open Settings on Windows 10
- Click on Update & Security
- Click on Windows Update
- Click the View update history button
- Look for updates that include the phrase ‘Cumulative Update for Windows 10’
As it is now mid-May, if the list does not include updates from April (“2022-04 Cumulative Update for Windows 10..”) or March (“2022-03 Cumulative Update for Windows 10..”), you need to find out why.
- If you work in a large organisation, this update process is probably managed centrally. Ask the team responsible – They may have a reasonable answer.
- If you rely on an IT managed service provider, this may reveal that they are not as proactive as you thought they were. This is not necessarily their fault – Their current contract may be a reactive / break-fix service (so if it ain’t obviously broken, they aren’t being paid to fix it). But you need to get this onto their to-do list, even if it means you need to pay them a bit more.
- If you are responsible for keeping your device up to date and Windows has not installed these automatically, it’s time to install the updates. And if you will remain responsible, set a reminder or recurring meeting in your calendar to do this check every month – I suggest about a week after Patch Tuesday, so any bugs in the update are likely to be ironed out by then.
PS You should do a similar check across all of your devices, especially Android but also Mac and iOS devices.