Corporate Responsibility In The Age Of Ransomware Hacks

By Adam Stern | Forbes Technology Council

Ransomware is anything but a victimless crime. Perpetrators are nefarious, calculating and unfailingly greedy. Being on the receiving end of an attack is unsettling at best, and catastrophic at worst. Whether aimed at individuals, organizations or companies, ransomware hacks typically elicit nods of understanding from those within earshot and rueful sentiments about the inevitability of it all.

In my view, this is more enabling than empathetic. Attacks may be driven by crass, even criminal motives, but no one is a bystander here. The object lesson is this: Today, you need to defend yourself against things you didn’t do and that weren’t done to you directly.

Let that sink in for a moment. Hacks happen, damaging individual industry sectors and, in some cases, large chunks of the economy. High-profile companies outside of the IT bubble need to take cloud security seriously, not just for themselves and their users, but for just about everyone. All organizations are now stakeholders in the cloud business. In the IDG publication CSO, Andrew Douthwaite writes, “The more sprawling the company or organization, the more exposed it may be, necessitating cybersecurity strategies that cover partners, manufacturers, and suppliers.” One screw-up by one well-placed player can easily slam the innocent. Everyone needs to treat user data with respect or risk ripples with untold consequences.

So what does it mean to be a good steward for the industry, particularly if your firm is on the periphery of cloud computing (that is, as a consumer and not a vendor)?

Consider this: A major cloud-based payroll software provider suffered a crushing ransomware attack earlier this year, taking down payroll management services for hundreds of the company’s customers over a three-day period. Faced with the threat of an extended outage — provoked by a destructive strain that encrypts computer files and demands payment for a digital key needed to unscramble the data — the company paid the ransom and began restoring service.

The target organization’s reach was significant, touching payroll service bureaus that cater to small and midsize businesses nationwide. Payroll customers, in turn, were beside themselves. While one key provider was battling pneumonia, everyone else caught a cold.

As Douthwaite observes, “Though traditionally tucked away under the IT umbrella as a security concern, many if not most of the consequences of cyberattacks are monetary, with severe and long-lasting financial implications.”

The astute way to frame this discussion is to think of the gestalt of the cloud, not of the various actors (innocent, complacent, negligent, etc.). Any platform or environment succeeds only to the extent that users/stakeholders trust it. Years of deployment have validated the cloud generally as a safe/hospitable place. But although we’re past the point of quibbling about basic security, cloud computing is still playing defense. What we continue to confront are undefined behavioral norms for organizations and those who comprise them.

The cloud will thrive only as long as users believe that their data is safe with third parties. When they get wind of a data loss episode — when, for example, they hear that an employee deleted servers because he or she was fired — the vast majority of corporate consumers won’t differentiate between “good” (responsible) and “bad” (irresponsible) vendors. And when this kind of thing occurs with some frequency, decision makers may begin to rethink the reflex of entrusting their business and data to third parties.

That’s why every vendor needs to understand that failing to arrest breaches harms the cloud community as a whole.  It’s imperative that service providers begin to regard their relationship with users as fiduciary. For that to be more than a platitude, the provider has to place the user’s needs above its own immediate financial concerns. While that may seem altruistic, even a bit unrealistic, it’s actually no more than enlightened self-interest. The fiduciary mindset is the right response to hacks, ransomware and cyberattacks because it affirms that everyone has skin in the game.

Indeed, the user is central to the security model. Just as it’s incumbent on the industry to promote among users an informed, even sophisticated approach to the seemingly mundane practice of opening (or not opening) emails and attachments, technology can only go so far. Successful phishing frequently involves zero-day attacks, new methods that perpetrators try for the first time and that can be disseminated to multitudes simultaneously. Although some technologies handle zero-day issues better than others, even the most dynamic protection systems can’t respond quickly enough to these threats.

So technology won’t save us. What might are changes in attitude and awareness. Both are more powerful than policies and procedures.  Responsible cybersecurity means we’re all in this together. And it’s got to start at the top.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.

Read in Forbes