A recent story of a ransomware incident impacting a hospital for sick children highlighted for me how ransomware, and by extension other cyber-crime, is often a criminal enterprise. It is run by individuals and groups in much the same way that a conventional business or enterprise would be run, but to a criminal ends.
The story in question related to a ransomware incident which impacted on SickKids just prior to Christmas this year (you can read more here). The incident was reported as resulting in longer patient waiting times however where this story diverges from the normal ransomware story is that a ransomware gang publicly apologised for the attack and provided resources to help the hospital in the form of a free decryptor tool. Now it is unclear if the decryptor worked on all or some of the effected systems, or even if it was used at all, as using a file provided by a criminal operation doesn’t come without its risks. The ransomware gang also acknowledged that the attack came from a “partner” and that they have been expelled from the ransomware gangs “affiliate program” for violating the gangs rules.
If we change the context to a simple and legal business operation a lot of the above would still make sense. Affiliate programs, business or partnership rules, a public apology for an error plus the offer of support; This is what you might expect from an conventional business operation, not a criminal gang.
This I believe is the big challenge for education and the wider world, that we need to accept that some see a business opportunity, an opportunity to make money off the illegal activity of cyber-crime. While this continues to be the case criminal gangs and cyber crime will continue to exist. And if we consider increasing technology usage and increasing data volumes being gathered in society as a whole, this opportunity can only be viewed as continually increasing. Additionally, if we extend the business analogy these illegal gangs will likely be constantly seeking to improve, expand existing revenue streams and create new revenue streams in much the same way as a conventional, and legal business would do.
So cyber crime is likely to continue to grow as a threat and this is pretty inevitable. What do we therefore do to try and protect ourselves? For me it comes down to a number of things, to organisations but also to individual staff, to seeking to regularly review, test and improve defensive measures, while also preparing to deal with an incident when it should eventually arise. It is about building awareness as to the risks and preventative measures and building a wider cyber culture in organisations.
All of this makes me think of business competition, where two business fight it out in a given sector or product market, to see who wins. Coke vs. Pepsi for example. Here however one business will be legal, fighting against another illegal, criminal enterprise. I can’t help but think that this is an inherently unfair fight but one that will continue to become more and more common!