08 Apr The Threat of Ransomware and Impact on Small and Medium Businesses
By Christopher Mims as written on wsj.com
The rise of cyber threats means that the people once assigned to setting up computers and email servers must now treat security as top priority
In the Appalachian mountain town of West Jefferson, N.C., on an otherwise typical Monday afternoon in September 2014, country radio station WKSK was kicked off the air by international hackers.
Just as the station rolled into its afternoon news broadcast, a staple for locals in this hamlet of about 1,300, a warning message popped up on the screen of the program director’s Windows PC. His computer was locked and its files—including much of the music and advertisements the station aired—were being encrypted. The attackers demanded $600 in ransom. If station officials waited, the price would double.
The station’s part-time IT person, Marty Norris, was cruising in his truck when he got the call that something was amiss. He rushed to the station. “I immediately pulled the plug on his computer,” says Mr. Norris.
In a quick huddle, the possibility of paying the ransom was raised, but the idea didn’t get far. “We’re a little bit stubborn in the mountains,” says General Manager Jan Caddell. “It’s kind of like being held up. We thought if we paid, they’d just ask for more.”
Security experts believe this particular strain of ransomware has netted criminals at least $325 million in extorted payments so far, but the real figure could easily be twice that.
The global “WannaCry” ransomware attack that peaked last week, and has affected at least 200,000 computers in 150 countries, as well as the growing threat of Adylkuzz, another new piece of malware, illustrate a basic problem that will only become more pressing as ever more of our systems become connected: The internet wasn’t designed with security in mind, and dealing with that reality isn’t cheap or easy.
Despite all the money we’ve spent—Gartner estimates $81.6 billion on cybersecurity in 2016—things are, on the whole, getting worse, says Chris Bronk, associate director of the Center for Information Security Research and Education at the University of Houston. “Some individual companies are doing better,” adds Dr. Bronk. “But as an entire society, we’re not doing better yet.”
Ever greater profits from cyberattacks mean cybercriminals have professionalized to the point where they are effectively criminal corporations, says Matthew Gardiner, a cybersecurity strategist for Mimecast, which manages businesses’ email in the cloud. Instead of hackers fumbling their way through complicated financial transactions, or money whizzes fumbling their way through malware design, there is true division of labor. As in any other industry, specialization begets efficiency.
Large (legitimate) corporations have the resources to hire talent to protect their digital assets, but for small- and medium-size businesses, it’s harder. There’s no shortage of good advice on how to perform basic security hygiene, but who’s there to implement it? The solution is resource management, with a focus on cybersecurity. Dr. Bronk lays it out like this:
1. Retrain IT staff on security—or replace them. In today’s world of ever-multiplying threats and dependence on connected assets, all IT staff must now be cybersecurity staff first. “The good news is that you don’t need that dedicated person to run your email server anymore—they can run security,” says Dr. Bronk.
2. Push everything to the cloud. It used to be the job of IT personnel was to build and maintain the tools employees need. Now, pretty much anything can be done better with a cloud-based service.“I mean, even the CIA uses Amazon’s web services,” says Dr. Bronk. “If there’s a best of breed, why not use it? If you want a safe car, go buy a Volvo.”
3. New IT investment will need baked-in security. Data from the Bureau of Labor Statistics indicates jobs in IT security are one of the fastest-growing categories in tech, up 33% in the past four years alone. That’s probably due to companies simply catching up on investing in cybersecurity after years of under-investment, says Mr. Gardiner.
Diana Kelley, global executive security adviser at IBM Security, a division of International Business Machines Corp. , compares the current state of network security to graphical user interfaces in their earliest days, when they weren’t particularly intuitive. Collectively designers and engineers learned to prioritize and improve them. “Security can be like that, too,” she adds. “We can think about it upfront and weave it into the process in a much more effective way.”
The cloud isn’t perfect, of course. A , disclosed last week, exposed customer email addresses, allowing attackers to target them with convincing emails that included a malware attachment disguised as a Microsoft Word doc. And then there’s the fact that massive denial-of-service attacks like Mirai can make the cloud inaccessible at critical times.
WannaCry is a good example of how increasing cybersecurity can be relatively simple—thwarting it was as simple as keeping Windows up-to-date. On the other hand, it used a sophisticated exploit lifted from a hack of National Security Agency tools that allowed it to spread directly from one computer to another, infecting systems in companies that might have been prepared for other kinds of attacks. These kinds of systemic weaknesses employed by or stolen from governments have led Microsoft to plead for a “Geneva Convention” on cyber weapons.
As for West Jefferson’s own WKSK, the station was lucky. Mr. Norris, its IT consultant, had backed up the computers. He was able to wipe the slate clean and get everyone back on the air in a few hours. It’s a good illustration of how prioritizing even the most basic cybersecurity practices can be a life-saver.
Since then, he has implemented offline backups of the station’s computers, just in case. He’s also become a keen student of the kind of attacks, such as WannaCry, that can affect small organizations. As soon as he read that it could hit older systems, he rushed to protect them at his day job—as the IT person for the local school district.
Appeared in the May 22, 2017, print edition as ‘All IT Jobs Are Security Jobs Now.’