Following WannaCry, how should businesses protect themselves from cyberattacks?
If anything, 2017 will be remembered as the year of the cyber-attack. No business is safe. No industry is exempt. The ease with which cyber-attacks can be launched and virally propagated was brought home recently by the WannaCry ransomware attack. In less than 48 hours, it compromised more than 130,000 organizations in over 150 countries. This comes on the heels of an extensive phishing attack earlier this year that successfully caused numerous business to disclose the W2 information of their employees to hackers. It seems that not a week passes without a headline calling out the name of another business falling victim to an attack.
These attacks have adversely impacted stock value, resulted in the termination of executives, and have given rise to numerous class actions, Federal Trade Commission enforcement actions and sanctions, and investigations by State Attorney General’s offices. Officers and directors who fail to exercise an appropriate degree of care in addressing cyber security in their organizations are now facing personal liability.
In light of the foregoing, one would think businesses would make improving cyber security the top priority in their organizations. The sad fact, as highlighted by the WannaCry attack, is that many businesses haven’t even deployed the most basic of security measures. In fact, a recent survey found that 52% of organizations that suffered successful cyber-attacks in 2016 are not making any changes to their security in 2017.
Businesses just aren’t getting the message.
WannaCry should serve as the poster child for the world’s lack of preparation for cyber-attacks. Even though a patch was readily available, businesses didn’t deploy it. Even though one of the fundamental tenants of cyber security is to decommission systems and software that are no longer actively supported by their vendors, WannaCry highlighted the continued use by businesses of systems and software sometimes years after they had reached end-of-life and security patches were no longer provided. Even though the most recent statistics show that two-thirds of attacks of this kind result from failure to adequately train personnel, businesses have done little to improve employee education.
The United States’ security and privacy laws, regulations and industry standards generally have one thing in common: they each require businesses to do what is “reasonable” under the circumstances to protect their systems and data. As greater scrutiny is brought to bear on businesses suffering security compromises, it is likely many will be found to have failed to achieve that basic standard.
Businesses must take their heads out of the sand and view recent attacks, particularly WannaCry, as a clarion call to action. But before businesses are moved to deploy the latest security gadget, intrusion detection system, or firewall, they first need to focus on the basics of information security. In particular, all too often businesses are swayed by the siren song of the latest technology and fail to focus on the two most basic elements of information security, which are the elements that are almost universally viewed as some of the most effective steps a business can take to protect its systems and data. First, businesses must deploy a means of actively monitoring the availability of security patches for the technology and promptly implement those patches. Second, businesses need to focus on training their employees regarding information security, including phishing and ransomware. This means not only training employees when they are first hired, but continually updating that training throughout their employment and providing particular training when new threats arise.
While security patch deployment and employee training seem incredibly basic, as attacks like WannaCry bear out, many businesses simply fail to take advantage of them. In today’s environment, businesses that continue to do so will expose themselves to attacks that could severely impact their enterprise, result in substantial data losses or system unavailability, and give rise to potentially dramatic liability. It is never too late. Businesses need to start today to address these threats.
This article was originally published on his blog, Crossroads of Cybersecurity and the Law, which is hosted by CSO. CSO, from IDG, provides news, analysis and research on a range of security and risk management topics.