If you didn't store valuable data, ransomware would become impotent

Start by pondering if customers could store their own info and provide access


Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

Or, more accurately, landed on the to-do lists of IT departments who valued data by asking the business how long they could live without it. That calculus led to determining objectives for recovery point and recovery time, then paying what it took to build (and regularly test) backups that achieve those deadlines to restore access to data and the systems that wield it.

That strategy, while sound, did not anticipate ransomware.

Cyber criminals have learned how to exploit every available attack surface to make firms' hard-to-value-but-oh-so-vital data impossible to use. Ransomware transforms data in situ into cryptographic noise – the equivalent of a kidnapper displaying their hostage, while laughing at the powerlessness of the authorities.

Businesses now face not just data loss but data theft. The data is not only gone – it's been "liberated" by a threat actor who chooses to share exactly the parts of that data most damaging to your business, your customers, and your brand.

Do you still have a business? If so, how many lawsuits have been launched by clients who have themselves been damaged by your inability to keep private data private? Who will want to do business with you in the future? And can you ever again trust any of your systems – or your staff?

Sony barely survived the reputational damage of the serious attack it endured in 2014 – and it's not clear that any other business would do significantly better in similar circumstances.

Arguably the best strategy to avoid ruinous reparation costs is to avoid storing any sensitive data at all. Let your customers hold their own data, and ask them for (limited) permission to use it. Those techniques exist – but they're rarely used, because such an approach directly interferes with the profits to be made from endless data analytics. Short-term gains open the door to long-term losses.

We'll be caught on the horns of this dilemma until we learn – the hard way – how to collect, keep and use data without getting burned. ®

Broader topics


Other stories you might like

  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading

Biting the hand that feeds IT © 1998–2022