The IT costs of running a bank are already horrendous. But as the recent ransomware attack shows, any bank that doesn’t install the latest software and keep it updated is asking for trouble, writes Brian Caplen.
If a 22-year-old British blogger can stop a global cyber attack with a bit of ingenuity and a mere $11, what is everybody else doing? Don’t big companies have folks on staff looking out for problems in cyber space? Aren’t the security agencies keeping watch and then springing into action at the first sign of trouble?
Apparently not or, at least, not as effectively as is needed. The WannaCry or WannaCrpyt ransomware attack carried out last week hit 200,000 computers across 150 countries and impacted UK hospitals, German railways, Russia’s interior ministry and the China National Petroleum Corp among others.
The irony is that the attackers used as part of their kit a hacking tool developed by the US National Security Agency which was stolen from them and leaked online. Microsoft’s president and chief legal officer, Brad Smith, has described this as like “the US military having some of its Tomahawk missiles stolen” and he has called for a Digital Geneva Convention laying down international rules “to protect the civilian use of the internet”. This international body would need to work with the tech companies in the same way as the Fourth Geneva Convention involves the Red Cross, says Mr Smith.
Indeed, in March Microsoft issued a patch to protect users from the software flaw used in the WannaCry attack, but many computers were not set to automatically update and so missed it. Most victims were also vulnerable because they were using old and unsupported operating systems such as Windows XP.
Have you ever complained about the time it takes to receive Microsoft updates or the hassle of learning a new version such as Microsoft Windows 10? After WannaCry, it is obvious that installing the latest software and keeping it updated is an essential cost of doing business for every bank and company.
Australian security blogger Troy Hunt wrote, in response to the WannaCry attack: “Organisations need to be proactive in monitoring for, testing and rolling out these patches. It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the [UK] National Health Service or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.”
Alternatively, business is going to be dependent on the activities of internet do-gooders such as the British security researcher who spotted an obscure web address being used by WannaCry to spread the virus and took control of it. Buying the address to do this cost him $11. Surely every bank needs someone like this on their staff.
Brian Caplen is the editor of The Banker. Follow him on Twitter @BrianCaplen
Register to receive my blog and in-depth coverage from the banking industry through the weekly e-newsletter.
