WannaCry ransomware took the world by surprise last week. What made it happen?
It’s very simple how it came. The National Security Agency (NSA) in America hacked Microsoft. They found a backdoor into Microsoft’s system, and the hackers hacked the NSA. So, there was a chain reaction. Once the hackers got hold of the backdoor into Microsoft’s system, they looked for weaknesses in organizations who hadn’t patched their systems. And those were the ones that were attacked. They used the vulnerability that the NSA knew about to get into all organizations who had not updated the software.
What can we or what should we learn from this WannaCry episode?
What we can learn from this is that you have to apply the necessary patches from the software providers as and when they are issued. As and when Microsoft issues patches, the IT guys must apply them to the organizations.
Should we expect another WannaCry ransomware attack soon?
It’s imminent. The software is changing as we talk. I mentioned that developers of malware are sitting and developing the malware in coffee shops. That is true. They take the existing pieces of codes, they modify and introduce them. I predicted that within the next month, you are going to see a new WannaCry attack.
During your intervention, you talked about the medical sector being the next area where the next big attack will take place. Why is that?
The reason that this is going to happen is that life insurance companies will buy their data from the hackers because, if they know who is sick and who is not, they can then do their underwriting using informed data. They can make huge profits in the life insurance companies. It’s not only small people who benefit from this. You end up with what we call “selective underwriting” based on medical information that they bought from hackers. The whole database is useful to a big life insurance company.
People and companies have been promoting Cloud since some time now. What are the risks associated with it?
Cloud has got significant risks. The problem with Cloud is that you assume that it’s secure, but who has actually tested the security of the Cloud? When you go onto Microsoft Cloud, do you actually ask them for a certificate that it’s secure? Do you have the necessary certificate in place? You don’t. You just go onto the Cloud. You get free Cloud. You can go on Amazon or iCloud, but you never check how secure they are, or if they have been hacked. It’s not as secure as you keep your own systems well-controlled in your own organizations. But bear in mind, whatever security you have on the Cloud, still important is the people’s knowledge of how to control their passwords to the Cloud. So, again it comes back to people and training.
Is being cyber ready (and not cyber secure) the sole responsibility of the IT department of a company?
No, it’s the responsibility of the Board of directors who must delegate to specialists the responsibility form the IT Steering Committee. And the latter must report to the Board, and give them assurance that the people are ready for cyber.
Have you conducted a survey in some Mauritian companies to see if they are cyber ready?
We are doing that. We just arrived in Mauritius, and we have set up the BDO Cyber laboratory. We are going to do the survey just as we have done in South Africa. There, we have found that about 20% of companies are ready, and 80% are not. The reason is budget. People don’t want to spend money on becoming ready. They tend to save money, and that’s a shortcoming.
Despite knowing that if they are hacked, they will need to spend even more to be protected?
People think that “this will never happen to me”. And when it happens, they pay ten times more. The message is, spend on prevention rather than cure.
Can we say that technology has become more of a curse than a tool?
We cannot avoid using technology. We just have to use it appropriately. It’s like anything in life. As long as you use it correctly, you will be okay. But if you don’t manage it, it’s a curse.