If evidence was ever needed that data, in its many forms, needs protecting with the same assiduousness as tangible assets, the recent spate of ransomware attacks provides just that.
In the last couple of months, WannaCry and Petya (or NotPetya, depending on who you ask) wreaked global havoc.
The criminal motif of such attacks, at first glance, is to lock a firm out of its network and extort money in return for re-access.
But, as FMCG giant Reckitt Benckiser and others have demonstrated, there are side effects, whether intentional or not, that can bring a company to its knees.
Being denied access to essential data – even just for a few days – can disrupt months of business.
I hate to be a doomsayer, but the reality is, it will get worse before it gets better.
At Reckitt, without data, production halted, deliveries went undelivered, invoices couldn’t be sent. The firm estimates the attack will cost them £100m in revenue.
One might hope that protecting data would be a board level priority. And actually, as the EU’s General Data Protection Regulation (GDPR) approaches, the notion of data governance is gaining momentum.
I caught up with Nik Whitfield, chief executive of Panaseer, to find out how his firm is making sense of this Brave New World.
“Really the ethos of Panaseer is to help enterprises to do business in the digital world without the fear, uncertainty, and doubt that’s being introduced by the different challenges around cyber,” he tells me.
Cyber security is an arms race. On one side: malicious actors, doing all they can to make disruption endemic. On the other: businesses, eager to protect their assets, wanting little but to continue working without costly interruptions.
It’s a battle of growth. A firm which cannot secure its infrastructure is fundamentally at risk as attacks grow more frequent and sophisticated.
And as a business itself grows – bringing in more people, and subsequently more hard and software – it becomes vulnerable as the amount of data produced swells.
Adversaries grow ever more nimble in labyrinthine networks, leaving businesses on the back foot.
“The people who are responsible for protecting a business’ security have got to try and get their arms around all of this data, relating to all these machines and software applications – make sense of it – and then take sensible decisions about the best way to protect it as an organisation,” says Whitfield.
Panaseer is a platform – a “data lake” – that pulls all of the data across a business together using a variety of deep-learning analytical techniques, which make sense of it, and convert it into information.
With this information, chief information officers can glean knowledge to make the best decisions about what needs to be done next to protect critical infrastructure.
One issue that is pervasive throughout many businesses is the disparity between what the IT team sees, and what those at an executive level see. They both need to be singing from the same hymn sheet, so to speak.
Up and down the stack
“It has to operate up and down the stack,” says Whitfield. “Currently, there’s often confusion because the security analysts will look at one low level data set – very granular information about the IT estate – while executives will look at a different, far more summarised, dataset, leading to miscommunication.”
Businesses need to have a single version of the truth to base decisions upon. Deciding what is or isn’t a risk is an unenviable task, but one that firms need to make continually, adapting to new threats.
Primarily, it should be about finding the parts of your infrastructure that are most at risk, which when more and more is being added to the various networks a business might use, becomes a gargantuan task.
For example, the group behind NotPetya exploited certain technical vulnerabilities that existed in the operating systems of Windows. Using deep analysis of infrastructure could have identified said vulnerabilities, alerted decision makers to the imminent risk, told them to patch it, and mitigated exposure to the attack – potentially saving a firm millions.
It’s strange, I say to Whitfield, that multinationals which really have no excuse to be exposed to such basic vulnerabilities repeatedly fall short of protecting critical infrastructure.
Executives tend to be rather keen on protecting their reputation, and that of their company – so they are starting to take note.
“There are a couple of factors,” he says. “One is a lack of awareness at board level. Although, GDPR and other regimes are raising awareness. Executives tend to be rather keen on protecting their reputation, and that of their company – so they are starting to take note.
He says that, despite piqued interest, there is a definite intra-sector variation regarding which firms give due diligence to data governance. Often it is a case of spending the right amount of money on cyber security to reduce exposure to risk. But he adds:
“The second is that it’s a really complicated affair. It’s very easy to address from the outside and say ‘oh why don’t they just patch that stuff?’ But regarding Petya or NotPetya, that was just one vulnerability out of thousands – so how would they know to patch that one, rather than all of the others that needed to fix?”
A frequent bugbear of mine that certainly doesn’t help is the false promise of silver bullets from many in the security industry. One would need a whole Gatling Gun full of them to mow down the onslaught of cyber security risks facing a modern business.
It’s a common misconception that one can just purchase a bit of anti-virus software, job done, get back to work. Instead, says Whitfield, it is an ongoing, incremental process.
“The security industry has been at fault for promising those silver bullets. And the thing is, there aren’t any. You’re never going to have one single tool or method or approach that’s going to solve the problem. It’s really about being that awful word ‘holistic.’
“It’s a holistic approach that’s required, and to carry that out in the most efficient way, you need data science to discern what the next best action is.”
Viruses, ransomware, and other nasties have been around for decades. The recent spike, while perhaps making firms more likely to take action, isn’t going to reduce the threat.
“I hate to be a doomsayer, but the reality is, it will get worse before it gets better. It’s difficult to know when there will be a tipping point towards an overall high standard of data hygiene. Unfortunately, as Reckitt has shown, a ransomware attack that, on the surface, was deployed to extort cash actually massively disrupted their business operations because they lost access to data. Sadly, this is just the start.”
Elliott Haworth is business features writer at City A.M.