WannaCry ransomware creators did a "sloppy job", police cybercrime expert tells Norfolk Chamber conference
PUBLISHED: 14:07 18 May 2017 | UPDATED: 15:26 18 May 2017
A cyber attack which brought organisations in 150 countries to their knees was a poor example of what such software is capable of, according to a police cyber security adviser.
Paul Maskall, who works with Norfolk and Suffolk Police’s cybercrime division, said the perpetrators of a ransomware attack last weekend which infiltrated more than 200,000 machines globally had done “a sloppy job”.
And its $55,000 take pales in comparison to the Angler ransomware scam, which netted around $60m a year before being shut down in 2015.
Speaking at the Norfolk Chamber of Commerce’s cyber security conference on Thursday, Mr Maskall said: “If it was designed by someone who knew what they were doing, it could have been a devastating attack.”
The conference at The Space in Norwich saw presentations from Kitty Rosser, intellectual property specialist at Birketts; Andrew Taylor, lead assessor at cyber safety accreditation body APMG International; Peter Freeman, founder of wireless internet provider FreeClix; and Rahul Colaco, senior manager of information security and data privacy at PricewaterhouseCoopers.
A major talking point was General Data Protection Regulation (GDPR), new European legislation which comes into force on May 25, 2018 and will continue to apply after Brexit.
As the Data Protection Act it replaces already does, GDPR will require businesses to show they have taken appropriate measures to prevent a cyber security breach to escape a fine if systems are compromised – the maximum penalty will rise from £500,000 to 20m Euros, or 4% of global turnover.
Corporate and commercial associate at Birketts Ms Rosser said: “Any sort of intrusion into your system should be a red flag to you to ask, has my data been accessed and is it still secure?
“If there is any question that it may have been compromised, that is when your data protection obligations come into play.”
She added: “This law (GDPR) does require you to be proactive. It also gives greater onus on building a secure system from the ground up.”
Mr Maskall, who called himself a “social scientist at heart” rather than a techie, said one barrier to deeper investment in cyber security was the intangibility of electronic data.
“You assign value to something based on the impact on your mental, emotional or physical wellbeing if you lost it.
“We do not assign the right level of value to the data and technology we rely on and this is across the board, because it is not tangible, ” he said.
According to data from APMG International, 46% of machines which fall victim to a cyber attack have no anti-malware installed on them, but 99.9% do have up-to-date anti-virus software.
Andrew Taylor, who has worked in security for 30 years with governments and local authorities, said businesses had an ingrained “fit and forget” attitude towards cyber security software.
“Once the system is in we fall asleep again, and unfortunately in the cyber world that means the criminals will get you because they do not sleep.”
The industry’s view
Ian Limeburner and Ian Stone, from insurance company One Broker, have around 150 clients with cyber liability cover, mostly in the SME market.
Mr Limeburner said: “Not a lot of businesses have grasped the nettle yet. A lot of people do not see cyber security as a risk to them, they think it is only the big companies who are hit, but we have seen a massive increase in attacks in the last 18-24 months.
Mr Stone added: “I think people are starting to accept it as being relevant to them. We have been talking to our clients about this for the last 18 months, but it is up to us to constantly talk to them about it and educate them.”
Graham Duckworth, from IT solutions firm Green Duck, believed many people were still not taking the issue of cyber safety seriously.
“Some of the management at our clients do not have a clue about the risks to the people’s data they hold and how they share it. They do not comprehend that they are doing anything wrong.”
He added: “The biggest thing businesses have to do before GDPR come in is to get an idea of data mapping – who has access to their data and how and where they are using it.”
The visitors’ thoughts
Karen McDowall, facilities manager at financial advisory firm Smith and Pinching, said: “We are very serious about data protection as with financial advice you have a lot of client data.
“I wanted to come to check from an IT point of view that we had everything in hand, and we do have a lot of it in place.
“It has boosted my confidence in a lot of things and also shown me the areas where we need to improve.”
Harry Mitchell, marketing manager at Anglia Farmers, said: “For us as an organisation which holds thousands of members’ personal information our priority is going to be how safely that data is held. We want to ensure we are compliant as an organisation, doing our due diligence.
“We are being proactive to make sure we keep our members’ data safe. Today was another sense check to reassure us that we are taking the right steps.”