A conversation with Colin James, Vodafone Head of Security
Earlier this year, the city of Atlanta was brought to its knees for five days by a ransomware attack that was one of the most significant and sustained against a major US city.
The local government’s 8000 employees couldn’t turn on their computers, citizens couldn’t pay for utilities online and travellers at the world’s business airport couldn’t use the free Wi-Fi.
In an age where governments and businesses around the world are shifting their day-to-day operations and services online, cyber-attacks like this serve as stark reminders to the vulnerabilities inherent in a connected world. Vodafone Head of Security, Colin James, weighs in on how security threats are playing out for New Zealand businesses, and more importantly, why you need to put your customers at the heart of your security strategy.
What types of attacks are we seeing in New Zealand?
We’re seeing two main types, both motivated by extorting ransom. These are the crypto-locker type like in Atlanta, where malicious software blocks access to files and data until a ransom is paid to unlock the encryption. When this happens, you’re in an ambulance at the bottom of the cliff situation, as you’re already shut down. Also, ransomware hackers often gain access to their victim’s systems and then wait for days or weeks before issuing their demands and encrypting the data. That delay makes it harder for cybersecurity teams to detect the breach, while making it easier for attackers to strike again.
The second, and more commonplace type in New Zealand, is a denial of service where there is a threat of an attack unless you pay up. You have more opportunity in these cases to put things in place to protect yourself. That said, there is effectively a black market for denial of service tools, where they are on offer as a totally untraceable cloud-based, buy as you go service - they even have help desks.
Should you pay up?
It’s a tough call, but ultimately, if you pay up you are rewarding the attackers and, however unwittingly, perpetuating more attacks.
Hackers count on choosing targets that they believe can afford the ransom, but can’t afford the down time to their business or the comparatively higher investment of time and money that may be required to stand up to the threat.
What steps can you take to protect your data and systems?
Security is always a trade-off. You can lock everything down to the point you would slow business down along with it. There is no silver bullet.
Having good security hygiene is our best advice. This means, for example, making sure you apply the latest software patches and anti-virus software. Attackers rely on people being out of date. And, you need to back up.
Bigger picture, think about your Security strategy and systems with your end-users and customers in mind. Think about what a breach could mean for them personally and show a commitment to their privacy.
How can Vodafone help?
One of the tools we offer is managed security, where we proactively hunt for threats as opposed to investigating only after an attack happens. We want to offer reassurance around the connectivity that we deliver, including notifying our customers in real time about new vulnerabilities.
What do you do if the worst happens?
You could have the worst possible cyber-breach but how you manage it can make the difference between retaining your reputation, revenue streams and customer base and not. For example, UK telco TalkTalk has become infamous for their handling of recent customer data breaches. The CEO appeared uninformed and indifferent, and their reputation was indelibly tarnished.
But, if you’re honest, transparent and, importantly, show that you care, customers will be more inclined to trust you. I believe it’s as important to show empathy before a breach occurs as it is after the fact. What I mean by that is businesses should carefully consider and take seriously the potential impact of a breach on their customers when they are making decisions about the time, money and resource they’re willing to invest in security. Remember that even small bits of information gathered from data breaches can have huge impacts on people – there are tragic stories of people having their mortgages revoked, credit ratings destroyed and even losing their homes. This is modern-day identity theft and businesses need to take steps to mitigate against it.
Any business who holds customer data is a custodian of that data and owes their customers a duty of care to protect it.