The City of Florida, after agreeing to spend $1 million (about £790,000) on new IT infrastructure after hackers captured their systems three weeks ago, has now agreed to pay $600k to get access to their systems.
The ransomware was apparently downloaded after one employee clicked on a malicious email link.
And it proves the business case for the scammers, doesn’t it?
Crafting a smart phishing email, releasing it on a widespread basis to a database of email addresses purchased on the dark web and waiting until someone somewhere clicks on a link is not exactly a high investment, high risk business – and the returns are extremely good.
CBS even says that the best solution to a ransomware attack is paying the ransom!
A $600k payoff means that there will be more and more phishing attacks, and more and more compromised IT systems – all because complacent managements assume that it can’t or won’t happen to them.
The CEO of a US hospital, one that is now grappling with cyber-crippled systems, said: Oh, those poor folks. I’m glad that’s never to going to happen to us.”
And now it has.
And it costs money – not just the ransom payment but also the collateral damage and disruption, operations postponed and critical medical information that’s made unavailable.
It’s astonishing that every organisation doesn’t mandate anti-phishing staff awareness training, updated on at least a quarterly basis. It’s astonishing that every organisation doesn’t assess and re-assess cyber security risk on at least a quarterly basis.
Perhaps they should be doing it even more frequently. Cyber criminals are assessing, and re-assessing cyber crime opportunities on a daily basis.
Time for management around the world to get with the programme!