WannaCry counts, without any doubt, amongst the most widely publicized cyber-attacks of the year, although this notoriety may not necessarily be fully justified. Still, it has affected hospitals, public transport, and car manufacturing, to name just a few of the examples that became public. In an earlier blog post, I was looking at the role government agencies play. Here I look at businesses.
Let’s look at the facts: The exploit has been known for a while. A patch for the current Windows systems has been out for months, and I’ve seen multiple warnings in the press indicating the urgent need to apply the appropriate patches.
Unfortunately, that didn’t help, as the number of affected organizations around the world has demonstrated. Were those warnings ignored? Or had security teams missed them? Was that ignorance? Lack of established processes? If they had older Windows versions in place in sensitive areas, why haven’t they replaced them earlier? I could ask many more of these questions. Unfortunately, there is only one answer to them: human failure. There is no excuse.
Somewhere in the organizations affected, someone – most likely several people – have failed. Either they’ve failed by not doing IT security right (and we are not talking about the most sophisticated attacks, but simply about having procedures in place to react to security alerts) or by lacking adequate risk management. Or by a lack of sufficient budgets for addressing the most severe security risks. Unfortunately, most organizations still tend to ignore or belittle the risks we are facing.
Yes, there is no 100% security. But we are all supposed to know how to strengthen our cyber-attack resilience by having right people, right processes, and right tools in place. The right people to deal with alerts and incidents. The right processes for both preparing for and reacting to breaches. And the right tools to detect, protect, respond, and recover. Yes, we have a massive skills gap that is not easy to close. But at least to a certain extent, MSSPs (Managed Security Service Providers) are addressing this problem.
Unfortunately, most organizations don’t have enterprise-wide GRC programs covering all risks including IT security risks, and most organizations don’t have the processes defined for an adequate handling of alerts and incidents – to say nothing about having a fully operational CDC (Cyber Defense Center). Having one is a must for large organizations and organizations in critical industries. Others should work with partners or at least have adequate procedures to recover quickly.
Many organizations still rely on a few isolated, old-fashioned IT security tools. Yes, modern tools cost money. But that is not even where the problem starts. It starts with understanding which tools really help mitigating which risks; with selecting the best combination of tools; with having a plan. Alas, I have seen way too few well-thought-out security blueprints so far. Creating such blueprints is not rocket science. It does not require a lot of time. Why are so many organizations lacking these? Having them would allow for targeted investments in security technology that helps, and also for understanding the organizational consequences. Just think about the intersection of IT security and patch management.
To react to security incidents quickly and efficiently, organizations need a CDC staffed with people, having defined processes in place for breach and incident response, and being well integrated into the overall Risk Management processes, as depicted in the picture below.
Such planning not only includes a formal structure of a CDC, but plans for handling emergencies, ensuring business continuity, and communication in cases of breaches. As there is no 100% security, there always will be remaining risks. No problem with that. But these must be known and there must be a plan in place to react in case of an incident.
Attacks like WannaCry pose a massive risk for organizations and their customers - or, in the case of healthcare, patients. This is a duty for the C-level – the CISOs, the CIOs, the CFOs, and the CEOs – to take finally responsibility and start planning for the next such attack in advance.