Cybersecurity (yes, cyber-hacking) is causing severe problems across industrial sectors. As the world was processing the implications of the massive hacking attacks on Equifax, a credit rating and management company, another one was reported on Monday. Accounting giant, Deloitte, was breached.
A bombshell report on Monday revealed that Deloitte was hit by a major cyber attack that compromised its email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms—especially since a major part of Deloitte’s business is selling cyber security. […]
The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”
It is not just companies. Institutions like United States Securities and Exchange Commission (SEC) have been compromised as bad actors look for information to manipulate markets. Everyone is affected including governments and small businesses. This is a huge global challenge. I have written on this in the past. I want to revisit it owing to questions from the community. Someone had asked: “how can a small company protect itself?”.
Why Are We So Exposed?
Indeed, we are exposed. The reason is the way the software industry is structured, largely in the past, though still prevalent. Before you buy software, you have to put in a company budget. The accounting people take a look and management approves. The deal is done and just like that they begin to depreciate the new acquisition. For the accountant, the software tool has been bought and there is no reason the IT department should come back, for more money, for the same software. It is bought and available for use. That has been the pattern. And that is the root cause of many of the hacking issues especially in small companies.
The company that sold you that software has a new version which fixed some security holes discovered a month after it deployed yours. Unfortunately, it has no incentive to tell you because you have paid 100% and the firm is gone. The vendor had supplied and left the premises. It happens all the time. The vendor puts a statement on its website. No one visits every vendor to read about software patches. The fact is that few customers know of any patch especially for those not deployed electronically.
Over time, your software and data become so integrated that even if you want to update to the latest software, the risk of messing up your operation puts such plans in the cooler. That was what happened in the WannaCry software when hospitals in UK were concerned that upgrading their solutions to newer versions of the software would put some 3rd party software out of use. In other words, a company supplied software that runs on Windows XP and you have been using that software for 5 years. Everything has been working fine. If you upgrade to Windows 10, that software could malfunction because the vendor did not make it for Windows 10. So, to avoid breaking that critical software, you make sure you do not upgrade to Windows 10. That Microsoft had stopped patching the Windows XP is irrelevant to you. You just hope that bad things will not happen. Unfortunately, they do, maybe not in weeks, but in years. WannaCry was a good case study in the UK healthcare sector.
The 3rd party vendor had since gone and getting him/her back will mean more money which you do not want to spend. You needed to have the vendor to upgrade the solution to work on Windows 10. You cannot because the accountant does not see a way to do that. You have your software and now you want more money for it. So, what do you do? You just hope nothing bad happens and so there is no update. When security issues happen, your system is one of the first to be affected.
The biggest problem in today’s software business is that interests are not aligned and that is why we are having many hacking challenges. Most times, the technologies are there but the operational fixes are not done. Without that alignment between IT and finance, no company can experience better protection. I do think the way we acquire software must evolve.
A Better Model
Work hard to convince your account people that software cannot be treated like vehicles which must be acquired and left to depreciate. Software is unique because it is “living” which means it has to be nurtured with licensing and upgrades. Where possible, pursue a path of Software as a Service (SaaS) where you do not buy software, but rather service from software. That way, the software, the security protection on it, etc are included in the service.
Today, it is only cloud offering that makes that possible. With cloud, the maker has no version. It only has a solution and that is always current. Think of Adobe model which does not have any version because its solutions are now cloud-only, meaning that it sells through subscription. Adobe gives you security protection and the service you need. You do not need software; you need a solution that does your work.
Once you can get the cloud subscription-based software, you can be sure that your software is at least update to date. To make that happen in your firm, you must convince the accountant that every month or year, money has to be made available to support the subscription.
I know that in Africa, we do not like subscription. We like to own things. But if you really want to be ahead of this cybersecurity tsunami of issues, you must learn to think differently. Software patches do work but the problem is that most times we make sure patches do not happen. It is as simple as turning the patch into manual update, and all the efforts from the solution providers to deliver upgrades are stymied. Cloud takes away that decision from your people and that is why it is more efficient. The product is always current and you do not need to worry about of any patch. Consider that software acquisition strategy where possible.