Scams, Cyber Security and Updates.
Underestimate the Risk of Rare Events?
The results from our experiment indicate people learn from experience to delay security updates.
Compounding this, over time as users fail to experience these rare events, but do have to go through the effort of applying update after update, learned behaviour reinforces the underestimation of risk. In other words, "I've never been attacked, so am unlikely to be attacked".
Actually, the paper goes further to show that in rare cases 1% of people who do apply security patches in a timely fashion are still subjected to an attack. Whilst the attack is often unrelated to the applied patch, this has a further detrimental effect on the willingness to apply timely updates in the future, "even when I did apply the updates, it was useless. I was still attacked!"
What is the Risk of Delayed Updates?
According to security company Tripwire, approximately 30% of data breaches and cyber attacks result from slow deployment of patches and security updates. Another study estimates the number to be closer to 60%!
The most famous attack in recent times that resulted from slow patch processes was the WannaCry ransomware attack of 2017.
The ransomware attack hijacked computers, demanding a ransom be paid to unlock them, or risk permanently loosing the data on them.
This attack hit almost a quarter of a million computers worldwide (230,000), compromising operationally critical and personally sensitive data of several very well known organisations including the Spanish telco Telefónica and UK health care, NHS.
The Scale of the Wannacry Cyber Attack
In the UK the NHS had to cancel approximately 19,000 appointments and surgeries, costing approximately £92 million. Across the world, 150 countries were impacted, with a total predicted economic impact of $4 billion.
The impact of the WannaCry attack was huge. In fact so huge, it could be argued that it made the attack seem even more out-of-the-ordinary, and perhaps heightens the perception that this was an exceptional attack that is "unlikely to happen to me". But to believe this would be a costly folly.
The WannaCry attack was only possible because organisations were slow in applying updates to their Microsoft based systems. In the same year Equifax suffered its mega breach.
As uncovered in this article, the average cost of each data breach to a typical organisation is in the region of $380,000. So what holds organisations back? Why, when the risks and costs have never been more publicly evident, are they slow to deploy updates?
Beyond the human tendency to downplay the probability of rare events, one study found that two of the major factors contributing to slow security patching are complexities and politics of dealing with multiple stakeholders across the organisation, and the ability to hire qualified staff.
Cybersecurity Ventures estimates that by 2021, the number of global unfilled cybersecurity roles will exceed 3.5 million.
I asked security experts umlaut for a comment on the importance of timely security updates:
The WannaCry example shows that cost cutting in security will be expensive in the long run. Regular updates are increasing security enormously, as our benchmarks in the area of cybersecurity shows. umlaut helps customers and partners to build robust processes to find and close security gaps in the digital infrastructure, before serious damage occurs.
Microsoft Patch Tuesday
In 2003, as part of an effort to raise collective awareness and action on the topic of timely updating, Microsoft named an unofficial practice across the software industry - Patch Tuesday.
Once per month, software companies including Microsoft, Oracle, and Adobe combine and roll out their patches and security updates in a big batch. This means security professionals can optimise their efforts, focusing on one big monthly update instead of several smaller, but often equally time-consuming, updates throughout the month. To find out more about this months security updates from Microsoft, follow this link.
The Most Sophisticated Scam Ever!
So what is the most sophisticated scam ever? Well, this is what I received yesterday. Martin Lewis, a recognised personal finance and money commentator who was cited as validating this scam, debunked this in an interview here.
However, it is worth noting that in the passed month or two, I have received three scam text messages informing me that my mobile bill was unpaid and that I should urgently click the link to settle my account or risk having my number disconnected.
Similar to many scam emails, this message also has some indicators it might be a scam. I previously wrote a short article on how to scrutinise suspect messages for telltale scam indicators, check it out here.
How to report scam text messages
In the UK mobile operators have come together to create a universal SMS shortcode for reporting scam/spam text messages. Simply send a free text to 7726 and follow the instructions that your operator will return. This allows mobile operators to track the scammers and block the numbers.
Whilst I haven't tested this in the USA, a NYTimes article suggests this number can also be used on American mobile operators too.
Tell me what you think
What do you think? Share your thoughts with me, and leave a comment below.