I’m not massively into FUD pieces (Fear, Uncertainty and Doubt), but I feel compelled to write a small ditty on crossing the t’s and dotting the i’s. This stuff should be obvious really, but it is often the first thing that folk become complacent about in the day to day running of their businesses.
When I was 14, I had a Saturday job cleaning rooms at Trust House Forte (Heathrow). I was late to work one week- no excuse, I was 14. My boss said to me “Christian, in life never paint your foot orange if you want to keep your job”. I didn’t understand her at the time, but I was never late for work again. I later understood what she meant, never put your job at risk by getting the simple things wrong, don’t be complacent over the stuff you absolutely can control.
A life lesson at home can be terminal at work
Nine out of ten households that buy monitored home security systems, do so after they have been a victim of a break in or crime of some kind. Closing the door after the horse is bolted is seen as regrettable, but acceptable. It may come at great personal expense in terms of goods lost and mental health, but no one gets fired, a life lesson is learned and you move on.
However, it is not just regrettable in the workplace. There will be more crypto viral extortion (ransom) attacks like Travelex’s in the coming 12 months, whilst only a few make the news, they are happening all the time, we are all too quick to forget these things. I bet if I say “WannaCry 2017” folk will go “oh yeah”, it all just fades so fast. It’s hardly surprising that most organizations pay up, then go on to buy a monitored alarm.
In the last few years breaches in data protection have been numerous and costly, be it with fines capped by GDPR or those that fall into uncapped geographies, this could be the final curtain on your business. Some examples include Equifax having to set aside $380 million to pay out customers over their 2018 breach and subsequently committing $1 Billion to purchasing a “monitored alarm”, British Airways was fined $230 million in 2019, Marriott fined $124 Million and Google $50 Million, the list goes on and on.
In the world of cyber, with state actors and international criminal gangs all vying for a piece of your action, the threat to your livelihood and your enterprise is very real. System and business owners, this is not a situation where closing the door after the horse is bolted is acceptable, there may be no door to close.
In most cases the company gets fined but it will survive, but trust me, someone has to be fired. Don’t let it be you, simply because you had other more pressing issues or budget constraints that meant keeping up to date with patches and supported software was not deemed possible or urgent right now.
Please tell me it’s not BAU
I spoke to a nice guy a couple of weeks ago, he was running Windows 7 desktops (5600 users), he didn’t have a support wrapper from Microsoft to handle the delta support that needed to kick in after January. He didn’t even know you could get it from Microsoft, but he seemed ok with the situation. Cue author sucking air back through teeth.
It was the general lack of concern that was concerning for me, he cited many issues that he was facing both with time constraints and budget and therefore there was no way he would be able to resolve the desktop operating system situation this year.
I was thinking, if you have a ransom attack and the breached wall was due to “your” choice, a choice you are making on behalf of a multi-billion dollar organization, to knowingly run with a risk like that then you just painted your foot orange my friend.
He felt ok though because he was still paying for subscriptions and support on a number of desktop software applications from terminal emulators to email clients, so he thought all was well. He had no idea that the small print in those support and maintenance agreements means that support is only valid if your operating system is supported and patched to the current level.Quite simply, if your desktop application is running on an operating system that is out of support then your desktop applications will also be unsupported.
It stands to reason that a building requires a solid foundation, if the foundations are weak and compromise the integrity of the building the home builder will appropriately attribute the cause and apportion liability to the ground works team. The same is true with software, if your desktop application develops a fault, the first thing the application vendor will say is “what version of the operating system are you running?”, because your support and maintenance agreement sets an expectation that you are running a currently patched and supported operating system.
More dodgy foundations
I work with a lot of legacy system owners, it’s very common for them to be running terminal emulators that rely on web browser-based Java applets or MS Active X controls. You find the same situations in existence here, a false belief that because the terminal emulator application vendor has been paid up to date that their organization is supported by the vendor.
You guessed it, there is a very good chance they are not supported, in the case of the browser based JVM (Java Virtual Machine), it was deprecated by Oracle 2 years ago, similarly the desktop JVM was deprecated a year later. For a lot of organizations, they have essentially paid two year subscriptions for support on applications that in the small print, were completely unsupported.
If your car is stolen and it turns out you left your keys in the ignition with your car doors open, then your insurance company will not pay-out, the same is true here. The desktop application vendor will happily renew your subscription, with the expectation that you don’t leave the keys in the ignition. However, like the insurer the software vendor is unlikely to support you due to the fact that you were running their software in an unsupported operating environment, be it old versions of Windows or the JVM.
The Net Net
Don’t allow day to day pressures to impact getting the easy things right. Make sure your operating system is still supported and patched up to the latest version, don’t fool yourself into thinking a valid access license and support agreement guarantees that you are supported by the vendor. If you think you can make a decision to run this level of risk on behalf of your business, you are very probably wrong. You will be the one with the orange painted foot with a bullet hole in it. Quite simply, you need to ensure that the powers that be understand the risk to business and therefore the criticality of keeping the doors shut and bolted.