The news of a ransomware attack that began in Europe has made headlines across the globe.
The WannaCry software locked thousands of computers in more than 150 countries. Users were confronted with a screen demanding a $300 payment to restore their files.
How and where are we most vulnerable?
Increasing reliance on mobility and the cloud has increased data security concerns for companies across the globe. But the high speed with which technology moves – particularly software/app technology – also means that software patents are almost, if not completely, worthless. Within two or three years, unless it is completely ground-breaking, the technology is outdated.
So which companies are most at risk when it comes to protecting intellectual property (IP) Ryan Tucker of RM Tucker Attorneys says that, in a digital world, those organisations likely to be most at risk are those that:
- rely heavily on the Internet and cloud services, with numerous, unmanaged and disparate connections;
- own copyright in databases of personal and proprietary information; or
- intend to apply for patents for inventions in all fields of technology (including the software/app sphere), but can’t obtain protection for their inventions because of the defensive tactics used by Google, Facebook and other giants during the patent prosecution process.
Handle on hacking
When it comes to hacking, what’s the worst that can happen? According to Melissa Viljoen, Marketing Manager at Dial a Nerd, “Some might say the worst that can happen is hackers changing who actually runs countries. Many people hypothesised that Hillary Clinton’s leaked emails played a significant role in her loss to Donald Trump. Others might say the worst that can happen is a loss of privacy for everyone using the Internet, if we consider the alleged CIA techniques for intercepting messages between devices.”
More common are credit card and identity theft. Ster Kinekor’s website was recently hacked, and the details of 6.7 million people stolen. But those in the know tell us that the biggest threats to a company’s IP reside inside the organisation itself. That’s right: the company’s employees.
Ransomware is one threat that’s activated internally, with the most typical method of entry an email that looks authentic but has an infected attachment. Viljoen warns that ransomware can creep into any organisation, drain productivity and cost the company millions.
Plus, cyber-criminals are constantly distributing new forms of ransomware and re-inventing existing ones. It’s important to be aware that today’s hacking syndicates, which run like businesses, are all about efficiency. The successful hackers are no longer those presenting badly written ‘phishing’ emails.
Guarding good ideas
Let’s say, for argument’s sake, that pre-patented or pre-design-registered Research & Development could be accessed by cyber-criminals. They could put it in the public domain before the company has a chance to patent or design-register the technology, potentially destroying the novelty of the inventions or designs. However, says Tucker, there are legal provisions in the Patents Act and the Designs Act to protect against this unfortunate situation.
These Acts state, for instance, that if the invention or design was placed in the public domain without the consent of its real owner, this will not prevent the real owner from getting patent and/or design protection.
Viljoen advises that the best ways for companies to deal with internal IP threats are user education and controls enforced by group policy, like disabling USB ports or preventing uploads to file-sharing websites.
Are USB drives really so dangerous? Yes! A 2016 study found that almost half (and possibly more) of varsity goers who pick up a random USB drive in the parking lot plug it into their computers – with only a handful of those who take precautions doing so effectively (16% scan it for viruses), and the majority taking no precautions at all.
“The security community has long held the belief that users can be socially engineered into picking up and plugging in seemingly lost USB flash drives they find,” said a team of researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan.
This led the researchers to believe that an attacker would have no problem spreading malware in an organisation, by dropping an infected USB drive in a public place. “We hope that by bringing these details to light, we remind [companies] that some of the simplest attacks are realistic threats,” they said. “Much work is needed to understand the dynamics of social engineering, develop technical defenses, and teach users to protect themselves.”
Tucker recommends that companies have suitable social media and personal information policies in place, as the POPI Act is likely to come into effect in the first or second quarter of 2018. But such policies are only as good as their monitoring and enforcement. So companies should take steps not only to draft the appropriate policies and get buy in from their people, but also to monitor their employees during (and possibly even beyond) the work day.