Everyday more and more services are going on-line. Organizations are finding it easy to engage with their audience (clients, suppliers etc.) on a daily basis via the internet. This is a good thing; it brings several advantages to an organization such as: Quality Control; Improved efficiency; Improved constant communication between organizations and consumers of goods and services just to mention a few. However unknown to organizations, their engagements leave a trail of on-line footprints with information that can be abused.

I like to define organizations as groups of people brought together by common objectives. I have intentionally underlined and highlighted the word people for reasons I will stipulate below.

  • People are free-willed being by design. That means what was driving and motivating them today could change tomorrow.
  • People are motivated by different things, all dependent on their wholesome health (spiritual, emotional, mental, physical) and the Eco-systems in which they grew up.
  • People exist in contexts, some of which apply different levels of pressure on individuals forcing different actions/ outputs
  • The world people live in consists of both GOOD and evil and people have been known to act from both sides
  • People are relational in nature and so it is right to say relationships run the world. However, the levels of maturity and training in handling these relationships vary and when conflicts arise revenge politics hover in the neighborhood

It is for some of these reasons that organizations should be gravely concerned. As employees pursue different ambitions in an organization, not everyone will be working towards its prosperity and posterity. It is then of great concern to see successful organizations running today, with plenty of information assets and having no Information Technology or Security policy. Documents littered all over in every employee’s computer, people plugging in anything on the Network, everyone having an official company email address but unable to describe how a spear phishing attack occurs.

Any business owner reading this should be greatly concerned especially now. On 12th May, 2017 the notification below popped up on 230,000 computers in 150 countries. Let me pause at this point to explain what this notification is all about. It is called a ransom-ware customer support notification. This one is an excerpt from WannaCry ransomware attack which is ongoing as at the writing of this article. Why ransom? A ransom is a sum of money or other payment demanded or paid for the release of a prisoner. The prisoner here is your data and by extension the company data resident on all the infected computers. Ransom-ware is a type of malware (malicious software) that encrypts a computer’s data. The decryption algorithm is usually with the person demanding payment (ransom) leaving users with very limited options. This notification is usually prepared by criminals behind the attack to “guide” victims on why, how and where to transfer ransom money. It also indicates the time left before the encryption time bomb blows and “vaporizes” or destroys your data. Let me also hasten to say that the perpetrators of this are criminals and so there are no guarantees even with utmost corporation.

(Image source: https://nakedsecurity.sophos.com)

The saddest thing about this attack which is ongoing is that it targeted even hospitals. I need not explain the severity of doctors or nurses locked out of computers that could be monitoring a persons vitals in the ICU – but I digress. As an individual or an organization, this circumstance is one you never want to be caught in. This attack came through what is referred to as a Phishing attack. Phishing is the act of sending an email to a user falsely claiming to be legitimate and offering a link to a purported legitimate online destination for which when a user clicks, it triggers an infection or attempt to scam the user into surrendering private information that will be used for identity theft.

Immediate action plan

It is not all doom and gloom. There are several measures that can help us remain in the offensive. Remember that the best way to predict the future is to invent it – Alan Kay (1971). Create that future by implementing the measures below:

  • Schedule periodic backups of both systems and data. The frequency is dependent on the importance of such information to business continuity
  • Do not clink links provided on emails especially if you do not know the sender
  • Systems should be updated and patched periodically and not to mention having valid and up to date security systems
  • Establish an IT policy with clearance levels and storage gadget policies

This can mark the beginning of securing your network or computer but we should always remember that security is not an event but an everyday task. It is not lost to those of us in the industry that this particular attack was either by reckless script-kiddies, a testing phase for a particular attack vector or a decoy as the real attack happens. Needless to say this could have also been a State sponsored attack.

PS: Don’t allow your organization information assets be at the mercy of people you have no control over. No leader or management will ever have control over people’s thoughts, actions and reactions. However, you can institute controls, and manged access over your Intellectual property, market strategies and other company assets. Remember prudence is not paranoia.

Article by Information security analyst Maina Watens at Esecure Labs

Leave a comment

Your email address will not be published. Required fields are marked *