When I was in my 30s, I woke up one morning with a terrible pain shooting down one side of my back and around the side. The pain was so terrible, I could barely move, and was only able to move my neck slightly to look down, convinced that I would see myself impaled by a sword.
Thankfully, I had not been attacked by a knight, or a ninja in the middle of the night. Luckily, I managed to get myself to a doctor who poked and prodded me, and referred me for an MRI scan. Once the scan was done, I was sent to see a specialist.
Upon walking into the room, the specialist had my scans in his hand, looked up and asked me, “What kind of accident were you in?” “Accident? I have not had an accident, are you sure you are looking at the right scans?”
The doctor assured me that he had the right scans and proceeded to point out dark and light areas which somehow showed that there was some damage to my spine and a few of the disks. I began questioning my own sanity, maybe I had been Total Recalled and been given these fake memories of a life in cybersecurity, whereas I was actually a secret agent that had been presumed dead after I was thrown violently from my car during a crash, but instead landed on the back of a tractor, where I was taken in by a kind farmer.
The truth was a bit more dull. When I was a young 12-year-old boy, I was cycling along the road and got hit by a car. I bounced on the bonnet and cracked the windscreen before falling onto the ground unconscious.
When I shared this incident from over 20 years ago, the specialist got all excited, saying how the damage to the spine was perfectly consistent with the type of accident I had. He also went on to explain that sometimes an incident happens and the impact is not fully realised until many years later.
The reason I bring this up is because we do not often talk about the long term impact of cyber attacks. Take ransomware for example. Many times, organisations do not know if there are backdoors that have been left in, or what data was stolen in the process. So, the question is, could something happen a year or 20 years later that could have an impact on the organisation?
While we probably do not have an exact answer for that question, we saw that in December 2021, Gloucester City Council in the UK was hit by a cyber attack which impacted benefit payments, planning and house sales. However, more than a year later, Gloucester museum still has not regained access to its database which had been used to create exhibitions at the venue and aided investigations into the city’s historic monuments.
In the coming years, it will likely become clearer as to the full extent and impact that cyber attacks have had on organisations, which is why preventing attacks such as ransomware is vitally important. Otherwise, a CISO may find an incident they thought was closed many years ago, still coming back to haunt them.