This blog post is written based on an interview with Thomas Wong, Improsec, in the podcast Regnskabets Time, season 2 episode 4
The convenience store chain 7-eleven was hit by a possible hacker attack last week, which ended up closing all of its stores in Denmark. We feel that it must be appropriate that we bring an excerpt of our podcast with Thomas Wong from Improsec, where we got to talk about the current threat concerning having one’s data compromised by cybercriminals.
Interviewer: We talked a bit before we sat down to record today, Thomas. You told me that many Danish companies do not have the necessary level of IT security. Can you try to elaborate a bit on that?
Thomas: Yes. What I mean is that the vast majority of companies would like to focus on IT security. But when it comes to getting it incorporated into the company’s culture, it often turns out to be far more difficult to dedicate resources to it than first expected. It can, for example, be in relation to getting these basic things done, such as risk assessments or a business continuity plan, which tells you what to do if things go wrong. The day things go wrong, the snowball you have pushed in front of you has just gotten much bigger. Most businesses will be compromised at one point or another, so it’s a matter of making sure the amount of damage is as small as possible. So it is important to be well prepared for an attack.
Interviewer: Today, quite a few companies use cloud-based IT solutions. What exactly do you have to pay attention to concerning the security of a cloud solution?
Thomas: That is a very broad question. But one of the most important things to be clear about is who is responsible and when. The supplier has a responsibility. But only until their service “stops”. When a SaaS solution delivers data into a company’s operating system or the like, it is, therefore, the company’s responsibility that it is stored securely and that the system is sufficiently updated.
Interviewer: As an employee or user of a cloud solution, what can you do yourself to increase the level of security?
Thomas: Quite simply: Choose a good password. Do not reuse passwords. And this also applies in cases where you use different usernames, email accounts or the like – don’t reuse passwords. Here I also believe that you should not change your passwords according to a pattern that is easily recognisable. Last but not least, work-related and private things must also be kept separate. If everyone did that, and stopped checking their private email from their work computer, there would be fewer attacks.
Interviewer: How do you discover that you are under attack?
Thomas: First it starts as an operational disruption – there are files that can no longer be accessed, programs that no longer work and then this is usually followed up with a message which states that you can get your things back if you pay for it. Usually worded in a very nice and polite way. After this, it is quite important to be open about things. An attack can last a long time, and it’s perfectly okay to be open about it. But what should happen next, is that the company should follow the aforementioned business continuity plans. Then you know what to do in all phases of the attack and the subsequent recovery phase. It will save an incredible amount of time and ultimately money.
Some of the companies that have been hit very hard are those that do not have plans ready in advance. In many cases, the public may not even hear that there has been an attack. Because the company has acted quickly, since there was a clear plan and strategy for what to do before, during and after the attack.
Interviewer: Should companies pay the attackers in order for them to stop?
Thomas: I would not recommend that to my clients. I say that from an ethical aspect. But having said that, I can come up with examples of where it would make sense for a company to pay off the attack. It could, for example, be in a case where the company simply will not be able to continue and where bankruptcy will be the natural consequence of the attack. Here it can be difficult to say that you have a choice. But if you choose to go down that path, I would also recommend that you work with some professionals who have experience in negotiating with cybercriminals.
However, if you want to avoid being in a situation where you even have to consider paying off an attack, then risk assessment, training, preparation, penetration tests, etc. are the way forward. It sounds very sad, but it may end up being the most important investment the company has ever made.