You can't overstate the threat malware poses to businesses
Published 08/05/2014 | 02:30
The information security industry has been accused in the past, usually with little supporting evidence, of overstating the risks to businesses. The charge has been that it's all been done just to increase sales.
Whenever this discussion emerges, comparisons with the Y2K bug inevitably emerge.
In some circles, there is still a perception that the Y2K bug was a conspiracy within the IT industry to stimulate sales and that there was actually no risk at all. The justification for such theories is that none of the predicted doomsday scenarios unfolded.
I would argue differently: that the Y2K bug's relatively harmless effects were a direct result of the huge effort put in to make sure that it was a non-event.
Nevertheless, there are similarities to be drawn today with the perceived hype surrounding IT security threats to businesses, particularly those for Irish SMEs.
One area of focus is privacy, or the lack of it. Yet even in this "post-Snowden" era, this is probably not the area that poses most risk to businesses in Ireland today.
The more relevant, and pressing, threats to businesses are more likely to be based on malicious software (malware) or data loss.
Despite increased attempts over the years to raise the level of IT security awareness, there is still a relatively low level of awareness in Ireland about such threats. This is evidenced by the number of SMEs that are falling victim to new variants of malware solely focused on extorting cash.
One that has been written about many times in the last months, but unfortunately is still extremely prevalent, is the malware known as CryptoLocker.
This malware (or ransomware as it is more commonly known) relies on 'social engineering'. It gets a victim to carry out a particular task such as clicking on a link or opening an attachment in an email. This can then result in the user's machine becoming infected with this malware.
The result of this infection is that cryptographic components of the Windows operating system are used to encrypt a range of files on the computer hard disk.
There is then a complex series of transactions initiated on the computer that connects it to the internet and generates a unique 'public-private key pair' for that computer and encrypts the files with that public key.
The only way to decrypt these files is with the private key that the malware author is storing on his own server. At this point, you're in big trouble. The malware presents a screen to the victim outlining what has happened and what must be done to decrypt the files. Most disconcertingly, a countdown clock to complete destruction of the encrypted files begins.
Unfortunately, there is no backdoor – or other way – to recover these encrypted files other than with the private key from the malware author.
In recent months, several Irish SMEs have been crippled by this kind of ransomware.
In some cases, the files encrypted can be accounting files, design drawings or proposal documents.
The nightmare scenario here is that when CryptoLocker encrypts the files, they are left with the same name. Meanwhile, the copying of files to a backup device will overwrite the unencrypted version so that even the backup is encrypted.
Because of the countdown timer looming large, many SMEs end up having to pay. The sums involved range from around €300 to €10,000. While paying is contrary to all recommendations from both the gardai and IT security professionals, one can see how some victims feel they are left with no other choice.
The owner or manager of an SME business in Ireland is often stretched to breaking point keeping the business alive and trying to deal with all the roles they must carry. The area of IT security is usually not an area of expertise, or even basic knowledge, and thus often gets ignored.
Still, an ounce of prevention really is worth a pound of cure. In this context, protect yourself, your organisation and its information assets.
Have an enterprise quality anti-malware package. Keep it up to date and ensure it is updating every day.
Keep your operating system patches up to date and instal patches or security updates for other software on your computers. Have a firewall on the computers, or the shared connection to the internet and be wary of any attachments or links sent by email, even if it is from someone that you may know.
IT professionals are often accused of self-serving hype. But it doesn't seem that way to the multitudes of companies that suffer malware attacks.
Conor Flynn is the founder of Isas, a Dublin- IT security firm. Email: Conor.firstname.lastname@example.org.