Weekly Podcast: Ransomware, Turkey, Cthulhu, Instagram

Hello, poddlers! This week, we consider the threat of ransomware, the apparent hacking of the Turkish police, a survey of IT professionals, and new security measures for Instagram.

Hello and welcome to the IT Governance podcast. Here are this week’s stories.

The president of the Hollywood Presbyterian Medical Center in Los Angeles – which was hit by a ransomware attack that encrypted patient files last week – has said that his hospital has paid criminal hackers a $17,000 ransom to regain control of its computer systems.

It was initially reported that a ransom of 9,000 Bitcoins – about $3.4 million – was demanded, but Allen Stefanek, the president and CEO of Hollywood Presbyterian, said in a statement that this was inaccurate. “The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000,” he said. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Ransomware is on the rise – for another recent example, think of the Lincolnshire County Council incident that we reported only two weeks ago – and the debate about how best to handle it continues. As a security firm, we of course say “don’t pay”; there’s no guarantee that your files will be decrypted, nor can you be sure that the ransomers won’t simply increase their demands. Much better to ensure you aren’t hit in the first place by implementing and maintaining adequate security measures – such as staff training to prevent your employees from inadvertently downloading malware – and ensuring you regularly back up your data.

As last August’s Symantec report into the evolution of ransomware put it: “The cyber criminals behind ransomware do not particularly care who their victims are, as long as they are willing to pay the ransom.”

Someone using the name ROR[RG] has released 17.8GB of sensitive data stolen from the Turkish General Directorate of Security (or EGM) – Turkey’s national police – in order to, it claims, “take action against corruption” in the country’s government. The data was released via the Cthulhu website. (HP Lovecraft aficionados, start debating pronunciation now.) Some sources have claimed that the hacktivist group Anonymous was behind the attack. We’re waiting to see what the leaked data contains.

A new survey of IT and information security professionals in the UK has found that one in six have hacked their own or other organisations, and 28% have knowingly circumvented their own security policies. The report, conducted by Absolute Software, notes that 36% of security protocols are not followed by staff and 30% of respondents suffered a data breach within the last year. 66% of respondents said that IT managers are primarily responsible for their organisation’s security, 73% expect to increase their security spending this year, and 58% of IT decision makers believe they would lose their jobs in the event of a security breach.

In a move that will please security-conscious photographers of sepia-tinted lunches, filtered sunsets and caffè latte art, Instagram has confirmed that it is beginning to roll out two-factor authentication – at last. Users will soon be able to log in using a secondary authentication token texted to their phones. TechCrunch, which broke the story, points out that this means that criminal hackers will “need more than your email and password [which] could be guessed, stolen, or tricked out of you with a phishing scam.” Good Thing.

And… that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.