blog

Will WannaCry be the wakeup call we need?

If you were a victim of WannaCry, it’s your own fault

 

SIMPLE SECURITY GUIDANCE AND ARTICLES DIRECT TO YOUR MAILBOX

What you need to know to protect your business, de-geeked and accessible to everyone

We respect your privacy and will never share your contact information
by Mike Knapp in Business Leaders

A couple weeks ago a new type of RansomWare started infecting companies all around the world.  The speed of infection and breadth was extremely scary.

It started on May 12th.  Within hours, WannaCry infected more than 50,000 systems in 100 countries. By the next day, the media was screaming about a global epidemic, impacting more than 300,000 systems.

WannaCry is both a worm and ransomware.  That means it is self-replicating as well as encrypting your data and demanding money for its release.  It leverages exploits in Windows that the NSA knew about, but never reported.  With a recent massive leak (apparently from a security contractor), many new exploits have been made available to hackers.

Thankfully the impact of WannaCry isn’t as bad as it could have been.  It was slowed down by a security researcher by accident a couple days after its appearance.  Yes, the hackers were silly enough to include a “kill switch”.  It also hasn’t collected many ransoms – supposedly around $112,000 in bitcoins.

So why is it your own fault?  Because it was completely preventable.

I recently wrote about stopping ransomware – that article gives you some key steps to reducing your risk.

Security must be part of your company culture

This global incident should be a wakeup call for every business.

Cyber-attacks aren’t something that happen to other people.  Cybersecurity isn’t a backroom-IT-thing anymore.  It’s a major risk to every business and needs to be managed at the leadership level.

Every person in your business has a role to play when it comes to protecting your business.  It’s time to shift to a more protective, even paranoid state.

Expect you’re going to be attacked and plan for it.  Look at the security implications of everything you do and ensure you’re putting the right investments in place.  Train your staff so they recognize potential attacks and know what to do.

If it’s not supported, don’t run it

The exploits that WannaCry leverages are only on older Microsoft operating systems – such as Windows XP, Windows 2003 Server and Windows 7.  These operating systems are either no longer supported or on the path to retirement. Retirement (normally) means no new security updates or bug fixes.

If you’re running one of these operating systems, it’s past time to upgrade.  Make this a very high priority. If you really can’t upgrade them, they need to be isolated and protected appropriately.

Install updates regularly

Microsoft had also released patches for all but Windows XP two months before WannaCry.

The patches didn’t say “install this or you’ll be the victim of the zombie apocalypse”, but that’s no excuse.  Your IT department or IT service provider needs to be reviewing, assessing and applying security updates on a regular basis.

I’ve run into several IT service providers and IT departments who have had to scramble to get patches installed with this incident.  If the patches were available, you should be asking them why the patches weren’t already installed, and deal with that issue.

Get the help you need

While they may be amazing at setting up servers and firewalls, looking at your business from a security and risk perspective is something most IT people have never done.

If you think you’re safe because you weren’t hit this time – you’re wrong.  This is just the latest attack.  There will be more.

It’s becoming expected that mature businesses have a cyber-expert on their board of directors.  For many businesses, they’re not at the point of needing a board yet – but they still need proper security advice.

Find an appropriate security consultant who can look at your business from the right lens and provide you a clear roadmap to properly protect your business.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

 

SIMPLE SECURITY GUIDANCE AND ARTICLES DIRECT TO YOUR MAILBOX

What you need to know to protect your business, de-geeked and accessible to everyone

We respect your privacy and will never share your contact information