While many of the good guys are getting back from a bit of a break, they are finding that the bad guys didn’t take much of a break at all. Well, at least their malicious software didn’t.
2017 has already been a banner year for cyber security. It’s a top of mind issue for politicians, titans of industry, celebrities, and, of course, all of us IT security pros that have been grappling with it for decades. While we may never know the real story behind a lot of the bigger headlines, there are a number of incidents that most likely result from the same poor practices that drive vulnerabilities to become real risks. And it’s the same best practice we’ve been talking about for a long time that is the antidote.
One thing that shows us just how far the bad guys are pushing their limits is that they are now targeting schools. Ransomware has traditionally been targeted at careless individuals or corporations with money on hand to ensure the bad guys get paid. A rash of ransomware hits in UK schools has shown they seem to be working down the food chain to other types of organizations. And, in case it seems like they may give up because they won’t be able to turn a profit hitting schools, a $28K payment from Los Angeles schools shows they aren’t likely to stop anytime soon.
How could these ransomware attacks have been stopped? If you’re reading this, you likely already know the answers. Control over phishing and other malware entrance vectors, having excellent backup discipline to ensure you don’t need to pay them to get your data, and user training to ensure they understand these mechanics so panic doesn’t cause more harm than the initial attack.
I’m guessing the IT folks in all these schools knew most of this as well. As the saying goes, knowledge is half the battle. Unfortunately, it’s not the half that can prevent or mitigate these attacks.
Cybercriminals Versus Schools is an Uneven Match
All the tactics that fight the bad guys have one thing in common: they are not free. Even before you start thinking about software and services to help you scale your defenses, you already have the cost of the IT security experts who know how to use these tools.
If you don’t plan to have any tools at all, then you’re likely looking at even more expense on the people who will need to do it all using the bare metal that the platform providers give you. Last I checked, schools aren’t generally known for their overflowing budgets – especially for items like cyber security.
It goes beyond simple cost questions, though. The bad guys have a business model that means their successful attack is a way for them to generate revenue and profit, while you’re stuck on the other side pulling defense off the top line and creating cost.
So before any money is spent on either side, the incentives are already upside down. Your adversary is pursuing rewards and you are pulling together what you can to shore up the walls with the sliver of the budget they give you.
Cyber Security is a Perspective Problem
Hopefully, you’re a little mad at me now. You want to say that this “cost” thinking about security is the old way of viewing things. You want to tell me that’s not how you talk about security in today’s world. When the risks are existential to the business and the competitive edge comes from consumer confidence, security isn’t just a drag on things. Security becomes a locus of the organization’s brand. Security is a way to show executives effective execution of strategy. At least, I hope that’s what you’re thinking.
Can understanding that security is a thought leading exercise help these schools make budgets appear? Only results will tell. But if the IT pros trying to get these organizations to see the priorities right are framing the conversation in terms of citizen confidence in the institutions, privacy for the student and parent information, and showing how security is at the heart of the mission of today’s schools, then they’ll have a better chance than if they take the all cost no reward model.
It’s a new year, which means it’s a great time to switch things up. Maybe they can upgrade their perspective about security and help everyone out.
If you like this topic please leave a comment below and follow us on Twitter.