The past week could have been bad for Kris Hagerman, chief executive of UK-based cyber security firm Sophos Group Plc. Forcing some hospitals to turn away ambulances and cancel surgeries, the WannaCry “ransomware” attack hobbled some of its hospital customers in Britain’s National Health Service.
A boast on its website that “The NHS is totally protected with Sophos”, was quickly removed by the company. That sort of stumble would likely hit a company’s reputation hard in many industries.
Yet, Sophos stock jumped more than 7 percent to set a record high and climbed further on Wednesday after the company raised its financial forecasts, three days after the global malware attack was first detected.
And even though experts say such attacks underscore the industry’s failings highly publicized cyber attacks are good for business, as for most other cyber security firms.
“We are making good progress and are doing a good job,” Hagerman said in an interview this week. “People ask ‘How come you haven’t solved the cyber crime problem?’ and it’s a little like saying ‘You human beings have been around for hundreds of thousands of years, how come you haven’t solved the crime problem?'”
Other factors contributed to the disaster at the hospitals and his company only claimed to protect 60 percent of NHS affiliates, Hagerman pointed out.
“They have their own budgets. They have their own approach to IT generally and IT security,” Hagerman said of individual hospitals, which pick their own operating systems, patching cycles and network setups.
Sophos did not update its basic antivirus software to block WannaCry until hours after it hit customers, Hagerman acknowledged.
A case study in how legacy industries need to up their cyber security game was represented by hospitals, where the stakes are especially high, security experts say.
“We’ve tolerated a pretty poor level of effectiveness, because so far the consequences of failure have been acceptable,” said Josh Corman, a cyber security industry veteran now working on related issues at the Atlantic Council and a member of a healthcare security task force established by the U.S. Congress.
“We are going to see failure measured in loss of life and a hit to GDP, and people will be very surprised.”
Perhaps 85 percent of U.S. medical institutions have no staff qualified for basic cyber security tasks such as patching software, monitoring threat advisories and separating networks from one another, Corman said, and some long-lived medical devices have more than a thousand vulnerabilities.
Partly an inevitable consequence of the growing complexity of digital technology is increasingly serious cyber security problems.
Ultimately, instead of another nurse or two, hospitals need to hire solid cyber security people, Corman said.
“What’s needed is punishment of the negligent,” said Ross Anderson, a University of Cambridge pioneer in studying the economics of information security, referring to the hospitals that did not stop WannaCry.
“This is not about technology. This is about people fouling up in ways people would get a pink slip for” in less-insulated environments, he said, meaning they would lose their jobs.
(Adapted from Reuters)