Once again, cyber security is front-page news. Dubbed WannaCry, the ransomware attack unleashed earlier this month has affected an estimated 200,000 (and counting) computers across the globe. The NHS, Scottish Power, Renault, O2 and the China National Petroleum Corporation are just a handful of the organisations affected.
Significant though the attack was, it wasn’t exactly surprising - and nor should it be thought of as a once-in-a-blue-moon event.
Ransomware (malicious software that freezes a device or system and then demands a payment to unlock it) is now well and truly mainstream. As an illustration, back in 2014, network firewall specialists, SonicWall picked up 3.2 million ransomware attacks on their Global Response Intelligence Grid. By 2015, this had creeped up to 3.8 million. Yet by the end of 2016, the annual attack rate was up to 638 million; more than 167 times the number a year earlier.
First and foremost, WannaCry should illustrate how important it is to adopt an assume breach stance: accept the very real risk of being hacked - and build your processes, systems and responses around this.
In addition, this latest major attack provides some useful reminders of best practice…
Always keep up with patch cycles
Once activated, WannaCry was able to exploit a file sharing vulnerability and security loophole present in Microsoft Windows. It is believed that this weakness was first discovered by the NSA and was subsequently made known to the criminal underworld when ‘Shadow Brokers’ infiltrated the NSA’s hacking unit.
Microsoft had actually fixed this flaw shortly before the stolen data came to light. The security patch - MS17-010 effectively closed the backdoor used by WannaCry and was released back in March.
The outbreak provides a timely illustration of a fundamental point: patches are rolled out for a reason. Those IT professionals who delay or neglect software updates leave their systems critically vulnerable.
A legacy system can become a liability
“If it isn’t broken, why fix it?”. Your business has been running Windows XP for years - seemingly without any problems. Switching will only cause unnecessary disruption.
But here comes the catch: with very few exceptions, Microsoft no longer provides any support for this old operating system. Most of those businesses and individuals who persist in using Windows XP are providing hackers with an open door to exploit system vulnerabilities.
Some institutions (the NHS and utilities companies, for instance) will undoubtedly have legacy issues to contend with. In other words, they are running highly specialist software that perhaps isn’t compatible with the latest Windows OS.
But for most organisations, sticking with an old, unsupported OS or other software simply to save time, money and disruption is a risky strategy. The savings made could pale into insignificance once one considers the likely consequences of a significant data breach.
This is especially the case now that GDPR is approaching. Now that businesses can be hit with fines of up to 4% of annual global turnover, you don’t want to find yourself in the position of explaining to the ICO that customer data was breached because your software was years out of date.
Work to clear your technical debt
Technical debt refers to the seemingly trickier projects (upgrades, migrations, working out a business continuity plan) that tend to be put off (sometimes indefinitely) and pose an increased risk to your business as a result.
Is it time to retire out-of-date kit? Are you lacking a comprehensive backup plan? Make it your mission to get the help you need to keep your vulnerabilities to a minimum.