WannaCry’s ransomware attack is mostly over – here are the lessons businesses must learn from the experience.
WannaCry was a particularly nasty bit of ransomware that infected Windows systems via network connections and encrypted important files to hold them as a ransom for bitcoins. The first wave of WannaCry is over, and we can learn a lot of important lessons from its rise and fall.
1. Operating Systems Change for a Reason
This is probably the number one lesson from WannaCry: The disappointing thing is that is a very familiar lesson that every security experts know well. You have to keep updating your operating system, not just to keep up with the times, but also to protect your business data.
This advice is so common that the real problem is probably something more insidious: Business leaders refuse to take responsibility for the platforms and operating systems they are using. WannaCry is the consequence for that leadership failure, and the sooner organizations recognize that, the better they will be able to plan for the future. Windows XP was particularly vulnerable to WannaCry – that’s an operating system that’s 1)12 years old, 2)surpassed by 4 newer versions of the operating systems with far more advanced tools and integration, and 3)an OS that hasn’t had any support at all from Microsoft (outside of this emergency patch) for nearly three years.
The very common excuse that business makes here is that, “We can’t update because of this regulation, or that compliance issue, or the need to maintain services to our customers.” First, these are incredibly weak excuses. A full upgrade will always take time, resources, and careful planning to meet necessary regulations. That’s part of the process, not an excuse to avoid it. Second, many organizations don’t even realize these are poor excuses because they haven’t actually asked experts. The first thing an organization should do if they are worried about upgrading an older operating system is to bring in an IT expert that has experience in these types of upgrades and ask for a consultation, advice, and ultimately a game plan for the best possible outcome.
2. Patches Don’t Just Get in the Way – They Protect Against Threats
Close behind the lesson about upgrading to new versions of your operating system is the importance of patching. Let’s divided this into two steps. First, your company must be aware of available patches, as they come out, and what they do. This is really easy, even if you aren’t in IT. New patches are heralded by blogs, emails, tweets and many other sources of information explaining what they are and what they accomplish.
Second, give top priority to any patches that are designed to fix vulnerabilities and increase security. Require all employees to download that patch on all machines, that day. Period. You don’t even have to turn on automatic updates, just make sure those patches are downloaded. WannaCry was patched back in March, but guess what? A lot of organizations have no patch plan or requirements, so it didn’t matter.
3. Lack of Awareness is a Vulnerability
Combine both our first lessons, and you get a reminder worth noting – companies cannot claim ignorance here. We have to be aware of the current security dangers, and how to deal with them. That means paying attention to what IT says, understanding how the business systems work, and knowing when a new malware or virus attack hits. These days, no manager can say, “Well, it’s not my problem.” It is.
4. A Single Good Practice Can’t Protect You From All Malware
In the past, most ransomware like WannaCry was spread primarily through phishing emails, and strong anti-phishing strategy was very effective at dealing with the threat. But guess what? Things changes. Cyberattacks regularly evolve and find different, more insidious ways to locate new victims. You cannot count on a single strategy to prevent any particular threat.
5. Network Segmentation May Be Growing More Important
Network segmentation refers to devices that avoid connecting to the business network or connect only briefly in closely monitored situations to avoid data vulnerabilities and malware. Especially after WannaCry, this is looking like a good strategy for companies that handle a lot of sensitive information.
6. The Consequences Will Always Be Worse Than Necessary Preparation
Some of the organizations affected by WannaCry include the UK National Health Service, the South Korean and Chinese governments, and organizations in more than 150 countries. Emergency health services were canceled, governments were unable to offer services, factories were suddenly shut down, and much more. This led to tremendous losses, and will probably lead yet again to a whole lot of fines, firings, and the loss of contracts. It doesn’t matter how demanding security changes are, they are always easier than dealing with the aftermath of a bad attack.