The latest cyber- attack, using ransomware in partnership with a worm, has caused havoc across the globe, with Russia, Spain and the UK thought to be the most affected. Europol estimates there are 200,000 victims in 150 countries, although this figure is likely to rise.
While there are regular strikes on individuals and businesses, this one, known as WannaCry or WannaCrypt, has caused such a widespread infection due to its ability to replicate through a network and infect vulnerable computers without each user clicking on an email link or attachment. WannaCry then locks and encrypts files and demands $300 (£230) in BitCoins, typical for such ransomware. Of course there is never a guarantee paying will do anything either!
Whilst Microsoft had released a patch in March 2017, it does highlight some different IT risks both from a legacy perspective but also in how companies approach applying patches.
Are we factoring IT risk when making investment decisions?
Many companies that were hit by this cyber event were still running a legacy operating system, Windows XP, that Microsoft stopped supporting 3 years ago on 8th April 2014. When considering IT investments, of course there are the opportunities the investment raises, but is your organisation factoring in the potential impacts and threats from not making the investment?
In the case of the UK’s NHS, thousands of computers were effected. With a complicated set up of partners and suppliers, complex infrastructure, sensitivity of data, and presumably budgeting issues, did not move software upgrades to the top of the agenda quickly enough. Surely, a red flag for Risk Managers and IT teams within the organization.
What is the best approach for applying patches?
Many of people with home computers, just tick the automatic update option for patches from Microsoft and trust in Microsoft’s quality and testing program.
However, for organisations running thousands of computers with a complex landscape of software and applications, this may seem a high-risk strategy. So, they invest in test environments where patches and fixes are rigorously tested before being released. Of course, this all takes time and money.
What must be balanced is the potential cost of delaying applying a patch versus the cost of rigorous testing versus the cost of a non-tested patch causing issues. Certainly, not an easy balancing act but this event has shown is there is no real safe route.
Is the risk over?
This cyber event got stopped in its tracks by the serendipitous actions of the blogger known as MalwareTech (@MalwareTechBloG), who stumbled on a ‘kill switch’ by registering a domain name that the ransomware was trying to reach. Of course this doesn’t help computers already infected but it does slow down the spread plus there is always the potential for variants to appear.
Managing the risk of cyber-attacks
In the case of WannaCry, and all ransomware, you can protect yourself by ensuring your computer has an up-to-date operating system and software, you have current and reliable anti-virus software. Also be wary of opening emails from unknown senders, an odd email from a contact or opening any attachments or clicking on links. Taking a regular back up of important documents should mean you can restore files in case the worst happens.
For businesses, it is also important to have a robust ERM framework with an up-to-date risk register combined with a good risk management system. Having a disaster recovery plan for cyber risks, which might include IT security measures, applying updates in a timely fashion, rehearsing attack responses and staff training, is the best way to mitigate an attack.
Finally, organizations can consider insurance solutions to help manage the financial impacts of any interruptions to the business as well.