What the Hydro ransomware attack really says about the state of IT in business today

On Tuesday, March 19th 2019 Norsk Hydro reported that they had been the victim of a significant cyber attack. The company stated that their internal IT systems were all down and that they had had to return to manual process to main the operation of the business.  Even the company website had been hacked. Hydro was having to resort to status updates on Facebook to keep investors and clients informed.

Hydro is not a small business. It employs over 35,000 people in 40 countries. How could a company of this size have let an incident of this impact happen in their business?

This isn't an isolated incident. There have been many examples of high profile companies being severely affected by cybercrime.

• Merck. Cost $300 million. 2017
• Cosco. Cost $300 million. 2016
• Nationa Health Service UK. Cost ￡92 million. 2017

There is no official statement on the cause of the attack at present. It is highly likely that the true cause will never be revealed.  This is because to do so would highlight where the business IT systems were found wanting. When these types of incidents occur they are worked on in relative secrecy and the root cause remains an internal matter.

When a press release is eventually made, the answer will be a well coordinated and PR managed response. Enough to satisfy the rabid salivations of the IT industry hacks. Yet no real detail as to what was really rotten in the state of Denmark.  What is it that is causing businesses to suffer these kinds of attacks?

You might think now that I am going to go into some deep dive on the intricacies of how ransomware works.  If I did that then I would become a further part of the real problem.

The real problem is that IT and technology are not taken even slightly seriously by the people who run companies. All the marketing bumpf will waffle about new technologies and the power of social media.

Yada yada yada

IT is the biggest elephant in the room.

It's so big there is no space left in the room for much of anything else.  The fundamental fact is that business leaders do not understand technology and because of this they choose to ignore its impact on their business.   In many ways, I can’t blame them. Who have they had to talk to about tech for the last 20 years? IT people. Anyone who has had a conversation with tech support or an IT manager has had one of two experiences.

• Being patronised to death by a condescending smart arse
• Being bullshitted with technobabble as to why XYZ problem occurred and it's all fixed now anyway.

Whichever way you cut it. IT people have done themselves no favours in how they talk to others. They talk in jargon and struggle to understand why others cannot get how simple it is to use a computer. If you stick an ear into an IT teams office you will hear comments about lazy employees, thick people and how management does understand them.

It is no surprise that most IT teams have isolated themselves entirely within a business. Everyone else in sales, marketing, customer services and operations are pulling together for the win. It is IT that sits alone moaning and causing everyone else misery.

The IT team thinks everyone is either stupid, ungrateful or both.

Because of this, you end up with the situation that so many businesses are in today. The C suite has decided to pretend that IT isn’t really very important. Because that's easier than accepting that it is and that they have no understanding of what to do about it.

The IT team meanwhile is keeping quiet. They feel that if they are not constantly fixing problems then they have no value. It is the act of fixing things and saying “all working now” that gives them self worth and justifies their position.  

If this situation sounds familiar to you as the leader of a business then it is time to take heed. This is a very dangerous situation to be in. The events of Hydro are a direct result of this type of situation. Of that I am sure.

OK, So what might have happened?  Let's have a look at this in a bit more detail

Hydro reported that this was a ransomware type attack.  This kind of attacks makes opening files on your computer impossible. Think about it this way. You log in to your computer at work and go to open Excel to work on your sales figures. The file doesn’t open. You get some message about it being corrupted.

What has happened is that all your files on your Desktop and Documents are broken. Likewise, if you have a drive letter like F: or H: for files, all of those files are broken too.  

When you try to use the company database system that doesn’t work. You look around the room and everyone else is in the same boat.  

At this point, there is nothing IT can do about fixing it with you. Its too far gone for that.  There are two realistic choices now.

• Restore all broken systems from backup
• Pay the criminals the ransom and get your data back

This is a Hobson's choice. The first option to restore data sounds like the obvious one. Restore the data and let's get back to work. Here comes the first problem.

How long does it take to restore the data? Does anyone actually know?

When was the last time you practised restoring the data so that you know that it will actually work?

Time to take action. If you cannot answer these questions right now then you need to go ask them today.

Do you know the cost to your business for every hour that you are not trading, manufacturing or servicing your customers?  Don’t forget to add the non-tangible costs to your reputation and brand from not being able to do business. Can you put a real cash value number on every 24 hours that your business is down?

Work out that number.

OK, what about option 2? Pay the criminals?  Yes, you can do that and many businesses have. The cost of restoring systems was more than ransom. In some cases, businesses have been unable to restore the data because they either didn’t have backups or those backups didn't work as they intended them to. They had no choice but the pay the criminals.

The problem with paying the ransom isn’t that it won’t work. It usually does. After all the criminals want you to pay them so they have a history of making good on their claims to get you your data back. They want you to see payment as the right choice.

No, the real issues are that you have to pay them in cryptocurrency. Do you know how to set up a BitCoin wallet and transfer real money from your bank into an exchange and then make a payment to a wallet address that looks like this?

1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Because you are going to have to pay the criminals in their world, not yours. If you don’t know how to do all this and how long it takes to get set up then what are you going to do?  You can’t setup a Bitcoin wallet full of real-world money in a few minutes. It can take over 24 hours and longer. You can’t call anyone for help because you are operating in the world of criminals. Don’t underestimate this, sorting out paying a ransom takes time. All of that time is costing your real money and reputation.

I can’t tell you how much a ransomware attack will cost your business. You have to work out what it costs you intangible (not being able to trade, service clients, manufacture) versus non-tangible costs (reputation, breaking contracts and agreements for service, brand damage). You need to work this out by the hour and then add up the numbers,

You can’t multiply that number by the hours you are down until you know how long it takes to restore your systems.

You can’t know the ransom cost until it happens. What if it was 100 Bitcoin? As of 20th March 2019, the value of Bitcoin is ￡3017. Do you have ￡301,700 available?

Did Hydro do anything wrong?

I don’t know the systems at Hydro. What I can do is outline some of the key factors that make you more likely to suffer a ransomware attack.

You have older versions of Windows on your computers. If you have Windows 7, Vista or XP you are at a much higher risk of attack. The newest version of Windows will always be the most secure. You should run the newest version of Windows.

You are not using a modern email system like Gmail and to some extent Office 365. The easiest way for a criminal to get to your computer is by email. After all, anyone can send you an email. All it takes is one criminal to get their email to you and for you to open the link or file they have sent you. It is not realistic to expect any system that is running on your own computers to be able to provide the level of detection that someone like Google can. The sophisticated threats being used in attacks like the one at Hydro require that you use email systems like Gmail to achieve the highest levels of protection.  

You are able to install applications on your computer. This means you are what is called in the IT world, an admin. If you can install applications on your computer without having to enter a password then any file you open from an email can do the same. This is how criminals get their programs on your computer.  

You do not have your email system set up in the most secure way. There are three settings that are very important to your email security setup. These are called SPF, DKIM and DMARC. If you do not have all three of this setup correctly then you are making it much easier for a criminal to target your business with an email. In particular, the correct settings for SPF and DKIM will reduce the opportunity for criminal to send an email to your business that appears to come from someone else in your business.  You may have heard of this. Its called phishing. All three of these settings are free to deploy. You can see if your business has them by using this tool from Google. Type in the part of your email address after the @ and see the results

The image below shows the results for hydro.com today March 20th 2019 at 11:07

You can see that they do not have DKIM setup even now after the ransomware attack.  This is the most important of the three settings for helping to protect your business from email threats and yet again this is not in place.

All these tools are freely available for criminals to use to target your business. If they can see that you do not have Gmail, you do not have SPF, DKIM and DMARC then they know you are likely to not have taken other security matters seriously too. You become a primary target.

None of this is rocket science. It is a standard best practice. The problem is that most IT people don’t do this best practice. That's usually because they are incompetent or lazy.

Am I being outrageous here? How dare I slag off all the IT people?  Well, you tell me why they have not implemented these settings in your business? It costs nothing to do. It will make things safer for you and have no negative impact.  What other choices are there than they don’t know what to do or that they cannot be bothered to look after your business correctly?

It is time to have a sit down with yourself and ask the difficult questions.

Do I really value IT in my business to the same level I do sales?

If not, why not?

What has happened at Hydro can happen to you. Everything in this article that I am telling you that you need to do is all the maintain the status quo. I have not even touched on all the ways that a modern IT system can improve your business and culture.

At some point, the criminals will come after your business. You will either have prepared or you won’t.

Which leader do you want to be when the time comes?