2017 has been another rollercoaster year for corporate IT. Although there have been dozens of new technology advances that benefit businesses and consumers alike, the headlines have (once again) been stolen by stories of hacking and security breaches.

Here’s a quick rundown of what you (could not possibly) have missed, along with some advice for avoiding similar situations next year.

WannaCry makes the NHS want to cry

More used to treating the symptoms of viruses, several NHS trusts in the UK were seriously affected by a ransomware infection. Nearly 6,900 patient appointments were cancelled as IT managers fought to bring clinical systems back online. 

The official report into the incident failed to calculate the financial impact of the infection. Other organizations across the world were also affected by the incident, with some media reports suggesting Russia was the worst hit.

How to avoid a repeat:

Protecting against similar events is a three stage process. First you must gain complete visibility over your assets, and identify end-of-life components and systems. Second, you must upgrade outdated components, or increase security provisions around those that cannot be updated. Finally, you should implement a network vulnerability testing routine to identify issues as quickly as possible - before they can be exploited by hackers. 

Ukraine subjected to coordinated cyberterrorist attack

Hot on the heels of WannaCry came Petya, another ruthlessly efficient ransomware application. Apparently part of a co-ordinated attack, systems across Ukraine were quickly infected, encrypting local files and rendering them useless.

Government departments, the central bank and the Kiev metro network were all badly affected, and many key systems were taken off-line completely. Danish shipping firm Maersk was also taken down while technical employees struggled to recover data from backup.

How to avoid a repeat:

Again, outdated software and insufficient anti-malware provisions were to blame. To stay malware-free in 2018, your business must deploy and install OS/software updates as quickly as possible, accelerating your UAT test cycles accordingly. And obviously, install an antivirus client on all your endpoints.

Apple FaceID “hacked”

The release of Apple’s latest handset, named ‘X’ to honor the 10th anniversary of the iPhone range, was the usual media circus. Most of the headlines were devoted to the new FaceID biometric security system, which scans the face of the user to unlock the handset, or to authorize Apple Pay transactions.

Worryingly, it took researchers less than a week to successfully circumvent the system, using ‘a 3D printed mask, makeup and some simple paper cut-outs’. Other reports suggest that a boy was able to unlock his mother’s phone with his own face, and that the system is (perhaps unsurprisingly) unable to differentiate between identical twins.

For merchants, these issues are concerning – but the hype is probably disproportionate. Yes, hackers may be able to commit card fraud using stolen handsets – but the risk is probably lower than that presented by traditional plastic payment cards. 

How to avoid a repeat:

Tokenized payment systems are relatively safe, and will undergo continual improvement as technology evolves. No system is entirely foolproof, but merchants will be protected under existing Apple Pay agreements between issuers, acquirers and the payment brand network.

Compliance remains key

GDPR and other similar regulations define penalties for exposing sensitive information, but they offer little guidance as to how to protect data. PCI DSS is a set of universally available security rules typically used to help businesses involved in receiving and processing payments. The same principles can be used by any business however, a proven baseline for better protecting IT assets and data.

By applying PCI DSS Requirement 11 for instance, businesses will have the basic framework required to build a security testing routine that adheres to industry best practice principles. PCI DSS compliance helps raise IT security standards across the organization, reducing the risk of falling victim to a cybercrime event like those detailed here.

To learn more about increasing cyber resilience in your organization, please give us a call.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA