Originally published on Information Management
Last year produced some of the largest and most critical data breaches to date and these continued assaults show no signs of letting up.
On May 12, the world’s biggest global ransomware attack hit at least 150 countries and infected over 200,000 devices. The “WannaCry” virus spanned the world, striking in Britain, China, Russia, Germany, Spain, Japan, South Korea and Taiwan, while targeting a broad range of victims including hospitals, universities, manufacturers and government agencies.
Ransomwear is a particularly nasty type of cyberattack where malware infects a computer system with a virus that encrypts data on a drive and locks users from accessing the data until a ransom is paid. “WannaCry” worked by infecting computer networks and demanding $300 (£230) in Bitcoin to unencrypt the affected data.
Extorted companies lost productivity, and in the case of hospitals, patient lives were potentially at risk from the “WannaCry” attack. Yet, for many victims this was an avoidable problem that serves as a wake-up call for the rest of us.
The source of the “WannaCry” ransomwear virus is a delicate issue for the United States. Allegedly, the vulnerability on which the malicious software is based was originally developed by the National Security Agency as a cyberweapon that was later published by a hacking group called the Shadow Brokers.
While no one yet knows what group is actually responsible for the large-scale attack, we do know that the virus was tied to an identified vulnerability in older versions of the Windows OS software and a patch to secure against the hack was released months before the “WannaCry” hack. The rapid spread of the “WannaCry” virus raises the questions of why, in this day and age of cyber threats, did so many enterprises fail to update their software or install the security patch and why didn’t they have data backups and real-time malware protections in place.
The failure to take basic steps to protect your environment does not just place your data at risk, with potential loss of public confidence and business, but these hacks also expose companies to litigation and substantial liability.
Court dockets are replete with examples of companies that knew about system vulnerabilities yet failed to put reasonable precautions in place to prevent or minimize the chances of a hack. Companies must defend against multiple class action lawsuits alleging harm to shareholders, business partners and the public and executives are sued personally for breach of their duties of loyalty, care and good faith by failing to implement and enforce a system of effective internal controls and procedures with respect to data security.
To establish a reasonable standard of care regarding internal security controls, it is not enough to simply implement base line security protocols. A company must make timely updates, maintenance, and repairs and is expected to stay abreast of the latest threat landscape and state-of-the-art technology to minimize those threats—especially if others in the industry are already doing so.
It is crucial to periodically:
- Make sure software is updated and security patches employed.
- Use real-time anti-virus, anti-malware software.
- Back-up key data in multiple locations, including offline.
- Teach employees to recognize phishing emails that use malicious attachments and other means to gain access to systems;
- Allow end-users to report incoming phishing attempts to a company reporting email address and have a dedicated company security employee check this email on a regular basis.
- Design and implement a written Incident Response (“IR”) plan for identifying, containing, eradicating, and recovering from cyber security incidents.
Though unprecedented in scope, the “WannaCry” attack is not the first of its kind, nor will it be the last. When you get hacked, will you be able to show your business partners, customers, and the courts that you took all reasonable steps to militate against known risks? The “WannaCry” attack is a reminder that the time to get current on your cybersecurity is now.