A few weeks ago, I had one of those days. You know, a day where things just don’t seem to make much sense. The day started out with a training session on ransomware. Unfortunately, as such programs are apt to do, it made me start to think that selling everything I have, disconnecting from the wired world, and moving to some remote island where I could live out my life selling tapas on the beach might be a really good idea. I suspect more than a few of you might have responded similarly.
Anyway, what got me going was learning about one of the new business models hackers have come up with. In short, after a computer or network is breached and the data encrypted, hackers are starting to offer their victims two choices instead of the normal one, which was to pay the ransom amount in order to obtain the decryption key and get their files back. Now the victim can either pay the ransom or they can help spread the ransomware by sharing a malicious link with two people they know. If those two unsuspecting folks become infected and pay the ransom within seven days, then the initial victim would receive the decryption key and be able to recover their files for free. Now isn’t this a heartwarming development.
As soon as my training was over, I started going through my email to include reading all the tech stuff I normally review every day trying my best to stay current and informed. Of course, the headlines were what they are on any given day nowadays. “Obama Orders Investigation of Election Cyber Attacks,” “Hackers Named Runner-Up for Time Magazine Man of The Year,” “Governments and Nation States are Now Officially Training for Cyberwarfare,” “The Botnet That Broke the Internet Isn’t Going Away,” and “Ransomware Now Being Used to Cover Network Intrusions” were just a few of the delightful reads that morning.
Then the phone rang. Seems a couple of lawyers came to work only to discover that their firm had been broken into and three laptops containing all kinds of client information were on the list of items taken. Of course, the first question they asked was what do we do. It’s a legitimate question and one deserving of an answer; but I needed to know more. It was then I learned the laptops were not password protected, were not encrypted and contained no laptop tracking software. With that good news, my answer was the only thing that could be done now was to take whatever steps they could to prevent anyone from using the stolen hardware to break into the firm’s network. They should also file a claim with their cyber insurance carrier and notify all clients impacted by the theft. Beyond that, everyone was going to have to live with the reality that the data on those laptops is now in someone else’s hands, and may in fact, eventually fall into the hands of a number of others, none of whom will have the firm’s or the firm’s clients’ best interests at heart.
After this call ended, I just sat there shaking my head wondering why these lawyers took no steps to try to prevent access to client and firm data should something unexpected, like a break-in, ever occur. Sadly, I have an inkling. Security experts tell me they see this all the time, which makes me think it gets back to how I responded to my morning training. We live in a crazy cybercrime world and the crazier it seems to become the more we all look for ways to escape from it, be it a dream of getting away, going into denial that something bad will ever happen, or ignoring it because there’s nothing anyone can do anyway. While all are normal responses when things seem overwhelming, they can also lead to serious trouble if any particular response prevents someone from taking steps to responsibly deal with the reality of the situation. This is what I believe is behind a decision to not take proactive steps to secure all tech. In all seriousness, I’ve seen it in the eyes of too many. We’ll be talking about things like the use of encryption, of strong passwords coupled with password managers, or even the necessity of ongoing cyber security training when the willingness and motivation to do something just seems to disappear.
Look, I really do get it. As the Borg, an alien race in the Star Trek Next Generation TV series, used to say: “Resistance is futile.” That line hits home for me when I start to think about cyber security because the headlines tell us daily that it’s a losing effort so why even try; but try we must. If the lawyers mentioned above had just taken the single and simple step of encrypting the hard drives of those laptops, the difficult and problematic task of notifying all clients of the breach, not to mention the potential fallout of having their own personal identities stolen, could have been avoided entirely. If you count yourself as one of the folks who believe it won’t ever happen to you, feel that ignorance is bliss, believe there’s nothing you can do to prevent it so why bother, or are just counting the days until the dream can become a reality, all I can say is this. Yes, becoming cyber secure can be a pain. Do it anyway. Trust me, the headache that comes with being proactive is going to be far less than the one that comes with being a hacker’s next victim.
All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.