In the first half of 2021 alone, global ransomware attacks surged 93pc, driven by new techniques such as Triple Extortion, where hackers will not only hold organisations to ransom over their sensitive data but also their customers or partners as well. General ransomware released by bad actors can catch thousands of companies, and even more detrimental with such attacks is the fact that there’s no guarantee that the perpetrator will relinquish its hold on the business if a demand is paid. Previous incidences of ransomware have involved tens of millions of dollars in the US, and for smaller organisations with little in reserve, many are forced to go out of business due to a detrimental loss of revenue or damage to their reputation. Ensuring protection against them is critical, but how do organisations achieve this? asks Mat Clothier, CEO and Founder of Cloudhouse.
Vulnerable sectors
No business is immune from a ransomware attack, but certain organisations are more vulnerable by nature. Public sector organisations typically cover numerous branches and are under tight budget controls. Prioritising resources is therefore critical, leading to a focus on ensuring that front-end software enables positive end-user experiences.
The issue that arises is the tendency for back-end applications to be kept in the same state, and these can typically be critical software such as enterprise resource planning (ERP) systems that manage stocks or billing. Due to the fear that a critical back-end application may not work, organisations can find themselves in the position of operating an out-of-date operating system that’s vulnerable to cyber-attacks such as ransomware.
In early 2021, Hackney Council, which provides services for 280,000 residents in London, was on the receiving end of a significant ransomware attack, in which sensitive data was leaked online by hackers and posted to the dark web. With services hugely disrupted as a result, much of the blame was placed on legacy and non-cloud-based systems that facilitated payments or licensing approvals, while newer systems and services linked to managing the Covid-19 pandemic were largely unaffected.
Heavily regulated companies in the finance and insurance sector can run the risk of failing audits where out-of-date operating systems are being used. Other organisations, such as pharmaceutical companies, typically need to meet good manufacturing practice (GMP) compliance during audits, while a data management company for example is likely to require compliance with the general data protection regulation (GDPR).
Those who are less regularly audited are more likely to place legacy systems on the back burner and may fear the attempt to make changes in case the software no longer provides value. While some businesses can gain an exception on this from the auditor, this is only going to be temporary, and a more permanent solution will be needed.
Effective action
Failing to take any action is a giant systemic risk with the threat of ransomware looming. Along with strong and hard-to-guess passwords, patching is security 101, and businesses that fail to upgrade to a new operating system miss out on critical support that can provide a staunch defence against emerging threats.
End-of-life systems such as Windows Server 2003 for example don’t receive any patches, leaving opportunities for cyber-attackers to exploit known vulnerabilities. When thinking of this in the context of newer devices such as smartphones where updates are automatically applied on a regular basis, it’s a reminder of how much a risk out-of-date operating systems pose.
Organisations need to find a middle ground between the risk of disruption created by security breaches such as ransomware and the risk of disruption to the business via wholesale changes during a move to a new operating system, potentially incurring app incompatibility and downtime.
A best of both worlds
The best of both worlds scenario can be achieved by employing specialist solutions from a technology partner. Rather than replace a critical application, such as ERP, and potentially rack up millions of pounds worth of costs for it to run efficiently Windows 10 or 11, businesses are able to benefit from compatibility packaging. This allows applications to be abstracted from the underlying legacy platform, its run time is then isolated and made compatible for the new system.
The resulting containers can be moved to hybrid and pure cloud, with cloud agnosticism to avoid vendor lock-in and certification for Microsoft Azure with full support for operating systems running in Citrix Cloud, AWS and Azure. Businesses then gain the advantage of having an application that continues to provide critical value to its operations while running a fully patched version of Windows that provides a much stronger shield against the threat of ransomware.
Organisations also gain benefits beyond security by deploying these solutions. On top of the much lower investment needed to ensure security, with the critical application unchanged, there’s no alteration to operating procedures for employees that use or maintain it. This means that retraining can be avoided and businesses save more in terms of costs.
Continuing to efficiently update the operating system within an organisation also allows businesses to avoid the costs associated with Microsoft Extended Security Updates (ESUs). While these do allow end-of-life versions of Windows to continue to receive critical security patches for three years, they’re an expensive venture, with costs for Windows Server 2012 rising 75pc in year one, 100pc in year two and 125pc in year three.
The alternative option
Ultimately, out-of-date operating systems are a root cause for security breaches such as ransomware, but frequently organisations have chosen to accept the potential risk when weighed up against the problems associated with transformation of current systems. Now, supporting technology solutions open up an alternative strategy that allows businesses to successfully move to patched systems while avoiding disruption to their business.
Ransomware remains a real and growing threat, and recent research discovered that 61pc of UK organisations expect to see an increase in reportable ransomware incidents in 2022. However, by working with a partner like Cloudhouse and investing in compatibility packaging solutions, organisations are able to move to a more secure operating model and build the strongest wall possible around their operations and mitigate the cyber risk.
