Fishy chips may cause boardroom stink

The Meltdown and Spectre security flaws in microchips could transform the dull routine of applying security patches into a boardroom issue.

The flaws found to affect nearly every modern computing device have prompted tech firms to hurriedly develop patches to address the vulnerabilities before hackers find a way to exploit them. Organisations will increasingly be judged on how quickly they react to these security issues, says Gareth Wharton, Cyber CEO of Hiscox.

The race is now on between companies and the hackers. But the speed of how companies react to the crisis will be closely watched. “Directors are increasingly likely to hold a company’s executive team, and its IT department, accountable for how quickly and effectively they ensure its systems are secured,” says Wharton.

“Hackers’ methods and weapons are continually evolving, so companies have to be constantly vigilant and update their defences frequently so they are protected. Companies that are attacked when there was a patch available will come under increasing scrutiny as to why they didn’t act quicker,” Wharton says.

Amazon and Microsoft, two of the biggest cloud service providers, have sought to allay users’ concerns by announcing they had already applied security patches to counter the flaws before they were publicly revealed in early January. But many companies that run their own servers are scrambling to update their systems.  

Quick reactions, constant vigilance

The string of high-profile attacks has put organisations’ IT-security processes under the spotlight. Many organisations needn’t have fallen victim to last year’s Wannacry ransomware attack if they’d upgraded their systems quicker. Microsoft issued its first patch against the EternalBlue exploit in March 2017, nearly two months before it was used to propagate the Wannacry virus, which went on to cripple many companies’ systems and brought parts of the NHS to a standstill.

“Not applying a security patch in a timely manner might be interpreted as being akin to having a burglar alarm and not bothering to turn it on when you go out. You’re just leaving yourself open to attack,” Wharton says.

Companies could face lawsuits from investors alleging that their board and management breached their fiduciary duties in failing to ensure the company had adequate controls and procedures in place.  It might also lead to disputes between companies and their insurers.

It will be increasingly hard for companies to hide if their IT systems aren’t properly updated, especially now underwriters have access to  ‘outside in vulnerability scans’ – looking for holes in organisations’ server configurations, including checking if they are properly patched.

“In the past, IT has been widely regarded within companies to be a dull backroom function, an expense rather than an asset. But as more companies grasp how technology can enable them to grow and be more efficient they will also need to appreciate the importance of digital hygiene: making sure their processes and systems are secure and up to date.

“It’s such an important part of doing business today that it’s sure to become an increasing matter of concern to directors” concludes Wharton.