What Your Business Can Learn from WannaCry
The biggest cyber attack began in May, spreading to more than 150 countries and infecting 200,000 machines. The outbreak is a ransomware threat, WanaCrypt0r 2.0 also known as WannaCry, with worm-like capabilities leveraging an exploit against vulnerable Microsoft Windows® operating systems. Ransomware mimics the age-old crime of kidnapping: someone takes something you value, and in order to get it back, you have to pay up. Owners of the infected computers have been told their information is being held ransom until they pay $300-$600 via Bitcoin. Victims, so far, include hospitals, universities, manufacturers, transportation and government agencies in countries such as Britain, China, Russia, Germany, the U.S. and Spain.
Impacted organisations worldwide are grappling with the questions: a) What could we have done to prevent this attack? b) How bad is the impact? The advice they are getting from cyber security vendors is of a technical nature. However, with a purely technical approach, it’s difficult to put security details into business context fast enough to determine what impact they have on business continuity, personal data, intellectual property, and reputational damage. Here are some thoughts on thinking beyond the technology and employing a Business-Driven Security approach:
Raise Executive Awareness. Risks that do not make the boardroom discussions do not receive the visibility they need to be properly addressed. Cyber risk has been recognised at the executive level. However, technology risks are still not translated well enough into business value terms that executives can understand to make educated decisions on courses of action.
Strengthen the Human Factor. People are usually a weak point in the defense against cyber threats such as ransomware. They don’t change their passwords or they open an email link containing malware.
Focus on What is Critical. Business Impact Analyses (BIA) should be performed regularly to identity which business processes are most critical to the organisation’s objectives. By extension, systems, devices and information assets that are used by the business process inherit its criticality so there is consistency. Highly critical business processes, systems, devices and information assets should receive prioritisation for resiliency and recovery efforts.
Maintain your Systems. Organisations must employ an upgrade and maintenance cycle to reduce their attack surface. Failure to patch, update and upgrade (especially away from unsupported operating systems) can – at the very least – irreparably damage an organisation’s reputation, or – in the worst case, as seen in the recent ransomware attack – put public safety at risk.
Backup your Data. Police in the southern Indian state of Andhra Pradesh said 25% of its systems were hit by the attack. “Our cybercrime teams are currently working to retrieve lost data“. Not being able to retrieve lost data can heavily impact an organization. During the BIA, should you determine critical information assets were lost, how far back in time could you reasonably recreate the data? Organizations must have mechanisms to ensure data is backed up accordingly.
Perform Continuity Planning. What happens if the system you use to do your job is not available? Some functions can stop until the system is available. Others, such as medical services or airports, cannot afford downtime. A critical step to build resiliency, even though not in the optimal state, is to plan for the inevitable disruption to business processes, systems or facilities. Continuity or recovery plans should be documented for [at least] all critical business processes and their supporting systems, and tested under potential threat scenarios to ensure the organization can continue to function.
The bottom-line is that cyber security is a business issue and not just about technology. Cyber risk is but one dimension of risk an organisation faces. The best way to thwart and respond to a cyber attack is to take a business risk management approach.