The post WannaCry and Petya world is a money making opportunity for some.
After last week’s Petya ransomware outbreak, coming only a few weeks after the WannaCry outbreak a predictable series of events unfolded.
Not the technologists urging companies to take preventative actions against such attacks, not the security specialists deconstructing the attack, its origins and its motivations, and its far-reaching effects. The events I’m talking about are how the stocks of listed cybersecurity companies rose.
Love it or loathe it but the analysts of Wall Street are highly focused money-making machines. Within hours of Petya breaking the starting investing in range of stocks, pushing prices up by around 4%.
I’m by no measure an analyst, more an interested armchair pundit, but having overindulged in both the business and technology press for the last 20 years I started to unpick why this may be.
Firstly, I have to assume that the analysts and investors are predicting that this attack would generate an almost immediate spike in sales, especially to the unprotected organisations, what could be labelled as the ‘horse has bolted’ approach to cyber threat mitigation. I’ve seen this sort of spike before in other areas, for example whenever there is a hurricane in the USA stocks in timber and building supplies companies usually increase.
Secondly and probably more importantly is that they probably believe that although the top tier companies, the banks, the national infrastructure and others are slowly addressing cyber risk, that the mid-tier and down to the SMEs constitute a large untapped market for cyber security products.
If that is correct, then it also suggests that even after the front page grabbing WannaCry outbreak and now swiftly followed by Petya that the wide adoption of cyber security technologies is still in its infancy. And if even two global ransomware outbreaks in as many months doesn’t mobile the masses, although it may still be early days, then what will? Has the cyber security industry failed to get its message across? Or does the mass market genuinely not believe that the risk of cybercrime is a big enough threat to warrant the necessary financial investment to protect themselves.
With Petya the ransom was $300 US payable in Bitcoin and that makes it ‘affordable’ compared to undertaking a root and branch review of IT security, training and governance that is recommended to make a business secure. Does this mean that the criminals are winning?
What I believe it means is that the criminals have reached the mass market adoption, or should I say acceptance, of ransomware. When discussing the Petya outbreak the TV show, Bloomberg Technology, theorised that cyber criminals, especially those engaged in the mass spreading of ransomware, are purely after money. They are not interested in information, in hacktivism and disruption, or in reputational damage. It’s just about the cold hard cash.
So we have Wall Street making money as they predict more sales and the criminals making money as they have found their market sweet spot of pricing. Considering how cybersecurity is often discussed as a mucky business, because it only exists due to criminal intent, it does give new meaning to the age-old adage “Where there’s muck, there’s brass”
Although my thoughts on both sides of the money-making argument may seem pessimistic, they are not. We are still very much in the Wild West days of cyber security. Similar to how the very early days of the Internet saw all manner of disruptions, distractions and changes to the business landscape all of which have slowly but surely assimilated themselves into everyday life, to the point that using online shopping, streaming music and other entertainment is the norm.
Cybersecurity will become commonplace and every day for the mass market within the next few years, of that I have no doubt. However, in the process either Wall Street or the criminals, or maybe both, are going to make a lot of money.