Ransomware: should have known better

You would have thought that IT Managed Service Providers would know about ransomware, wouldn’t you?

Well, clearly not all MSPs are equal: US MSP, Cognizant, admitted last week that a successful April ransomware attack would negatively affect its Q2 earnings by between $50m and $70m – and this before allowing for currently unquantified ‘additional and unforeseen legal, consulting, and other costs associated with the investigation, service restoration, and remediation of the breach!

Which Cognizant systems were affected?

According to ZDNet: ‘(1) Cognizant’s select system supporting employees’ work from home setups and (2) the provisioning of laptops that Cognizant was using to support its work from home capabilities during the COVID-19 pandemic.’ Exactly those systems that would have been critical to supporting its clients switching to remote working in response to the Coronavirus pandemic. It’s not clear how the attack was perpetrated but ransomware attacks typically involve phishing email campaigns and organisations that fall victim typically have inadequate phishing defences. Phishing defences require more than technical measures – the only way to stop all phishing emails reaching their targets is to close and/or quarantine ALL incoming email and other electronic communications. And that’s just not practical. So, while the first line of defence must be technological, the second – and probably more important – line of defence must be well-trained staff that treat all unexpected email with healthy suspicion.

Cyber attackers know that their emails have to get past target defence systems. That is exactly the operational challenge faced by today’s e-marketers. Cyber attackers therefore use tools honed by e-marketers to ensure that a percentage of their emails penetrate target defences and reach individual in-boxes. And where those people are inadequately trained, someone will invariably click on an infected link. Cyber attackers only need one person to make an error; target organisations need 100% of staff to never make an error.

It’s long odds. That’s why smart organisations also put in place effective third and fourth lines of defence: cyber security event assessment and incident response processes.

Of course, those also require staff training.

And, above all, successful defence requires corporate managements to recognise and act on the need for defence – now, in the bad times, even more than in the good times – after all, funding effective defence is way less costly than funding an expensive response and its aftermath.