Massive cyber attack no big surprise


5 min read

With my experience in IT, it's more surprising that such a massive attack took so long to happen.

Let me clearly state that whoever is behind this, an individual or a group, they are criminals who endangered lives and stole from people. I hope the authorities track the culprit/culprits down quickly and bring them to justice. This is not behaviour that should be condoned.

Back to the topic. I do not find it surprising that such an attack took place. The state of security in general is in a bad shape. Let me give an example: banks, who are in charge of your money, have had horrible security practices in their apps.

In 2013, 90 percent of apps had some traffic unencrypted; now, it's just 35 percent.

The emphasis is mine, but consider that part. "Just" 35 percent of tested bank apps did not use encryption. The study only tested apps from the 40 biggest banks across the world in 2015. Given the resources these institutions have (even in 2015), 14 of those 40 apps did not use the most basic security practices to guard their customers against fraudsters and thieves. In my opinion, this should be part of a banks core business model: protecting their customers money. Those numbers are 2 years old and I do hope the situation is a lot better now (I did not find more recent numbers). That does not mean the situation is good.

Now, I took banks as an example because I believe protecting the privacy and money of customers is paramount. This problem appears in almost every organisation that uses information technology to gain an advantage, but doesn't acknowledge IT to be a core aspect of their business. From hospitals to car makers, they were all were unprepared. The organisations could have been prepared, Microsoft issued a patch for the problem about 2 months ago.

It's because IT is still being treated as a second class citizen in most organisations. Managers want the cheapest solution to a problem. I've seen it time and time again in consultancy: the lowest bid wins the contract. Now I'm working in a private organisation and I see it happen here too. Instead of making resources available to do something right, tight deadlines and shifting priorities get in the way of producing a quality product.

The biggest change I hope to see from this, is that IT isn't a side of the business that should just be given enough resources to keep things running. IT departments and end-users should work closely with the people they support. More resources should be allotted to make sure the non-functional requirements such as security, performance and optimisation can be handled correctly. IT can be a major contributor to a business' success, but it will not be able to do that on a shoestring budget.

With resources I mean time, manpower and availability of knowledge. The easiest to explain is manpower, this is giving developers and analysts the freedom to do their jobs to the best of their ability.

With time, I want to focus on giving the people in an organisation the time to do the job right. Trust them to get the job done in the most efficient way they know. It will become evident which people aren't doing this pretty quickly.

The last point is the most difficult one to explain: availability of knowledge. This is because it comes in many forms. The first is knowing how to do your job well. I now know how to do my job a lot better and more efficient than when I first started. This is because I keep learning about new and innovative ways to do my job from other smart, talented and professional developers. So give your IT professionals opportunities to learn, both from their mistakes and their successes.

Availability of knowledge goes further though. It also extends to making as much information available to your IT department as possible. Give them the freedom to talk to the business directly to know what their needs are. Give a project team a contact person to ask questions. This person should be an end-user, not a manager or department lead. They think they know what their people are doing, but mostly don't know the details. Give that contact person also time to answer the questions. If he or she has to answer questions from the IT department on top of their already busy schedule, then their answers will never be the best they could be. So make sure that person knows that conveying knowledge is a big priority.

Knowledge also flows in the other direction. When old software is replaced by new, not everybody will intuitively understand everything. Make time to train end-users to use the software correctly. Less mistakes lead to less intervention which in turn leads to higher productivity at both ends. This goes for all software: from business critical software (such as accounting software for the accounting department) to non-critical software (such as SharePoint or browser use).

If you want to change behaviour, just training will not suffice. Making end-users think critically about every mail they receive cannot be done by giving them half or even a full day of training. It is important they are taught how to spot malicious content or a phishing attack, but they need to be reminded from time to time. This can be done by occasionally hiring a company to send fake phishing mails and evaluating which employees correctly identified this as a problem and which need another round of training.

All those things cost money, sometimes even a lot of money, and the ROI can be hard to estimate because we're dealing with very vague terms such as an increase in security. Failing to invest in these things will result in more security breaches such as the "cyber apocalypse", which will cost companies hands full of money in the best case scenario and human lives in the worst.