WannaCry attack is good business for cyber security firms
SAN FRANCISCO: For Kris Hagerman, chief executive of UK- based cyber security firm Sophos Group Plc, the past week could have been bad. The WannaCry ‘ransomware’ attack hobbled some of its hospital customers in Britain’s National Health Service, forcing them to turn away ambulances and cancel surgeries.
The company quickly removed a boast on its website that “The NHS is totally protected with Sophos.” In many industries, that sort of stumble would likely hit a company’s reputation hard.
Yet on Monday, three days after the global malware attack was first detected, Sophos stock jumped more than seven per cent to set a record high and climbed further on Wednesday after the company raised its financial forecasts.
As for most other cyber security firms, highly publicised cyber attacks are good for business, even though experts say such attacks underscore the industry’s failings.
“We are making good progress and are doing a good job,” Hagerman said in an interview this week. “People ask ‘How come you haven’t solved the cyber crime problem?’ and it’s a little like saying ‘You human beings have been around for hundreds of thousands of years, how come you haven’t solved the crime problem?’”
Hagerman pointed out that his company only claimed to protect 60 per cent of NHS affiliates and that other factors contributed to the disaster at the hospitals.
“They have their own budgets. They have their own approach to IT generally and IT security,” Hagerman said of individual hospitals, which pick their own operating systems, patching cycles and network setups. Microsoft Corp had issued a patch in March for the flaw WannaCry exploited in Windows operating systems.
Yet Hagerman acknowledged that Sophos did not update its basic antivirus software to block WannaCry until hours after it hit customers.
Security experts say hospitals, where the stakes are especially high, represent a case study in how legacy industries need to up their cyber security game.
“We’ve tolerated a pretty poor level of effectiveness, because so far the consequences of failure have been acceptable,” said Josh Corman, a cyber security industry veteran now working on related issues at the Atlantic Council and a member of a healthcare security task force established by the US Congress. — Reuters