The recent massive hack of Panamanian law firm Mossack Fonseca – and the publication of its trove of confidential information in a publicly-searchable format that has cast suspicions on everyone from David Cameron to Emma Watson to cybercriminals themselves – is the kind of “extinction-level event” that businesses should better prepare for when their viability is entirely based on trust, one security consultant has warned.
“The confidentiality of your systems is the number-one thing you have to invest in when you're a law firm or a human rights organisation, for that matter,” LogicNow security lead Ian Trump recently told CSO Australia.
“Your information security is now the difference between being in business or being out of business.” As revelations emerge that Massack Fonseca had a range of out-of-date systems that had been unpatched for months or years – and that the hack was perpetrated through the company's email system – Trump said he “couldn't think of a better case study for patching and updating vulnerable systems. The reality is that maybe you've spend 20 to 25 years of your life building the business, and if could all disappear if the basics aren't being done.”
Despite recent figures suggesting that software vulnerabilities are getting less severe over time, Flexera Software's first-quarter review of software-patching practices suggested that Australian businesses' patching practices are still well behind where they should be.
Some 5.9 percent of users were running unpatched versions of Microsoft Windows and 12.4 percent were running unpatched non-Microsoft programs, with 5.9 percent of the end-of-life applications on the average Australian PC no longer being patched by the vendor. The average Australian PC, Flexera's review found, had 79 programs installed from 28 different vendors.
Apart from the immediate danger posed by inadequate patching regimes, the figures suggested that many companies were putting far too strong a financial focus on their security investments – weighing ROI based on the potential cost per breach without considering the potential costs to the business of interruption from ransomware or other problems.
As a result, said Trump – an ITIL-certified IT consultant and COBIT expert – many businesses are holding back software upgrades or new services that would both improve their risk profile and provide new capabilities to improve disaster resilience.
“A lot of SMBs really are living invoice to invoice,” he explained, “and when they get attacked by something as innocuous as a CEO fraud scam or ransomware – and haven't made an investment into the ability to recover from an event like that with good, robust backups – that will hurt the bottom line.” Cloud backup services, he said, offer an easy and “phenomenally inexpensive” way of recovering from ransomware attacks: “They are probably the number-one answer to security failures, because in this day and age losing a customer's data is almost unforgivable.”
Given the predominance of email-borne threats in today's cybercrime environment, Trump said resource-limited businesses would be best advised to invest in email protection first and foremost, in order to block out what has become a major attack vector.
Yet email protection alone isn't enough to solve the problem of CEO fraud, he adds, noting that businesses also need to ensure they have robust verification practices in place.
As cybersecurity defences evolve, Trump said, robust backup practices needed to be complemented with systems to empower a 'detective-reactive-proactive' security response that gives businesses “a chance to not only prevent the bad guys from getting in, but to detect that they're there if they do.” “It's out there to make things more difficult when they are trying to break into your network.
Cybercriminals will turn to online havens where they're very difficult to get at and prosecute. But if we build good networks and keep them up to date, we can ward off the worst that can be thrown at us.”