The global cyber attack of the past few days has grown again, with many more systems compromised. Russia is blaming America. America is blaming Eastern Europe. Microsoft is blaming the US Government. Newspapers are blaming Jeremy Hunt. Who knows? No-one.
I have a sneaking suspicion we’ll find this havoc has been caused by a pimply youth who was experimenting to see what could be done with code. The chances of an organised group, or a state-sponsored gang, producing what is, frankly, a rather amateurish attack is low. Those high-level cybercriminals are much more sophisticated. Besides which, even though this worldwide hacking attempt has affected tens of thousands of systems in half the world’s countries, it has, so far, only amassed $42,000. Not much for a gang attack – and certainly not enough to ensure they can run away to a new life. One day we’ll probably discover who was behind this and I suspect everyone will go, “really…?”
In the meantime, though, there is the issue of clearing up the mess. Technology teams have been working non-stop to try to restore affected systems. Many of them appear to have been using old operating systems, unpatched with updates. Plus, many don’t appear to have invested in Internet security software, or if they have they don’t really update it. I heard one company on the radio complaining that they had been affected and they don’t understand because they “update the antivirus program every week”. Whoops…! That’s the problem; you need to be updating your security software hourly; patches are provided throughout each day, often several times a day. If you only update once a week, you leave yourself open to all the possible exploits that would otherwise have been fixed.
At least, though, that company was trying. Others don’t even have security software. It is estimated that a third of the world’s computers connected to the Internet are doing so without security programs. That means no matter how hard you try to protect yourself, others are allowing the Internet to become a criminal’s playground. It’s a bit like you locking all the doors of your house, but one of your neighbours have the same set of keys which they leave under a flower pot.
The psychology of risk
One of the main reasons that people do not protect themselves is due to their risk perception. Consider the people who smoke cigarettes. They know that smoking kills. The packets tell them in no uncertain terms that cigarette smoking is highly dangerous. But they believe that the damage is done to other people. “It will never happen to me,” they think.
Similarly, when drivers are told that speed kills, they still drive their cars fast, assuming that accidents only happen to other people.
Human beings are really rubbish at assessing risk. We tend to reduce the level of risk in something which is high and we tend to increase the level of risk in something that is low risk. We are constantly trying to “normalise” risks because that makes it easy to understand them. We think aeroplane travel is dangerous when it is the safest form of transport (other than being an astronaut, which by miles per person is much safer). Yet we downplay the risks of overeating and getting fat, assuming that the risk is worse for other people. Yet, you are far more likely to die from overeating than you are from flying in a plane. Our brain wants to equate risks to make it easy to understand them.
What this means is that many computer users around the world tend to downplay the risks of infection – they think “Why would anyone be interested in my computer? They’ll only want to attack people with something interesting on their machines.” This is the classic, “it won’t happen to me, it will happen to somebody else” stance.
Of course, people thinking this way will try to justify their decision. The NHS managers who think like this will be talking about budgets, a lack of resources and other factors that influenced their decision not to update computers. Yet, if they had perceived the risk accurately and not downplayed it, they would have found the money to tackle the problem.
What are the chances of infection?
There are 200,000 organisations around the world who thought that the likelihood of their computers being attacked was low. They were wrong, of course. They downplayed the risk as part of this psychological normalisation. The result is a lack of protection as it would be deemed unnecessary or too costly.
However, viruses and attacks like the one we have seen in the past few days do not discriminate. If a computer is connected to a network, it can be infected. The risk of being attacked in some way for your computer system is 100%. That’s because your computer is connected to machines that have no protection on a global network that can transmit nasties within seconds. You cannot avoid being attacked online these days. You have a 100% chance of someone or something (often they are bots, not people) trying to break into your computer.
When people realise that the risk is 100%, the normalisation aspect kicks in trying to reduce that figure to make it all the more understandable and to protect us from the inevitable. That means we do not take steps to protect ourselves as we are perceiving the risk lower than it is in reality.
The reason so many computers in the world are unprotected – putting us all at risk – is because people have thought the risks are lower than is actually the case. However, it is not “if” your computer will be attacked, but “when”.
For 200,000 organisations the “when” has already happened, this weekend. But it could be your computer tomorrow.
The answer to dealing with the cyber attackers is to assume the risk of being attacked is 100%. That will make people do something and the number of outdated and unprotected systems will fall. And as that happens the attackers will lose interest as they will be unable to wreak havoc. It’s a bit like house burglars. When everyone in the street gets their property fitted with an alarm, the criminals move on to another area where they think their pickings will be easier. So it is online – except every “house” needs an “alarm” (Internet security software). Do that and the cyber attackers have nowhere to go. But the only way this will happen is if every computer user in the world properly understands the risks. And what do you think are the chances of that happening? Well whatever you thought, the real chance is different. How do I know that? Because humans are rubbish at working such things out.