Shit just got real

Over the past few years, we have had plenty of time to read about the exploits of malicious hackers. These have appeared on the news so many times that we have had the (mis) fortune to get desensitised to them. Why does it matter? Why should anyone care about who got hacked? And then, what can one (the layman) do about it?

It matters because it can affect us, and affect us badly. Our personal details are stored by many companies and governments. Not all of them put effort into securing this information that they have been entrusted to keep safe. Details such as our birth date and our address may be used by our bank or our email provider to verify our identity over the phone. Imagine if someone were able to access our email just because they knew our birthday and our address. This happened to to the director of the CIA, James Brennan. It has happened to ordinary people as well.

What about the companies that got hacked? Sometimes the hacking is (relatively minor) reputational damage in the form of website defacement. It is a serious matter when personal information, email contents and proprietary data are stolen – things that can directly affect a company’s bottom line and harm its customers. Theft of money or something like money (such as credit card information) also happens. How do we not get habituated to ignoring these things when the show up in the news?

Last week presented something that I found to be quite scary: the “shit just got real” moment. A hospital in Hollywood had great difficulty doing the job of caring for its patients because on an attack on their IT infrastructure. The hospital’s files were affected by a type of malware called ‘ransomware’, which encrypts the data until decrypted with a key obtained after paying the ransom. Staff used pen and paper to record new patient details, transferred some patients out to other places. Patients’ records are stored in computers. Their details are digitised so that a doctor or nurse can easily pull them up on a monitor when getting to do their work. What happens when something as basic as a hospital is unable to function because their IT is hit? This is why security is important, and why we have to demand that our various service providers take it very seriously.

What can we do about this?

  1. Educate yourself about personal information security.
  2. Vote with your feet against companies that do a bad job; especially against companies that are unrepentant and against companies that claim that they were hacked by “sophisticated” attackers (don’t take their word for it).

If you happen to work in IT, operations, or risk management, make the effort to understand how information security risks may affect your organisation and your clients and take steps to reduce the risks.