In the wake of what has been described as the world’s largest cyberattack, companies and organizations internationally are scrambling to understand the vulnerabilities that led to the massive risk — as well as the measures that must be taken to guard against ransomware and other cyber threats.
WannaCry, the name given to the cyberattack that inflicted more than 200,000 computers in more than 150 countries, was a ransomware attack that effectively locked down the files on infected computers. The hackers then demanded a ransom payment in bitcoins to give users back control of their files. Companies as large as FedEx and Nissan were among the victims.
Not surprisingly, at least to security officials who have been regularly warning about lax practices that lead vulnerabilities, the breach could be traced to the theft of NSA tools that were leaked or stolen. Those tools allowed WannaCry to happen through vulnerabilities in Microsoft Windows, although the company had released a security patch to address those same vulnerabilities earlier this year.
The fact that WannaCry was still able to penetrate Windows points to a common practice among corporations to fail to take immediate action when security patches are released, for any number of reasons. In many cases, some companies deliberately resist updating their systems because they are concerned about it disrupting the performance of their legacy software programs, according to an article featured in CNN Tech.
The massive global cyberattack is a good reminder to implement the cybersecurity practices that can help protect your company’s data and sensitive materials. Here are five measures that are regularly recommended by security experts in the industry.
- Invest time and resources in training. As the Harvard Business Review points out, one of the best places to start with a cyber-security plan is with extensive training of your employees. All of them. Sure, you hire the best in the industry to protect your data center assets and equipment. Any company should have the expectation that executives and IT professionals should stay abreast of the latest security measures. However, the training must go companywide. HBR recommends that the training must be at the forefront, no matter how much is invested in the latest security tools, no solution can depend upon technology alone.
“Spending millions on security technology can certainly make an executive feel safe, but the major sources of cyber threats aren’t technological.” Chris Furlow of the U.S. Chamber of Commerce Cyber Leadership Council and Dante Disparte, founder of Risk Cooperative
They went on to say that vulnerabilities caused by human error — including ignorance, apathy, and hubris — can lead to significant gaps in security. “With any cyber threat, the first and last line of defense is prepared leaders and employees, whether they are inside an organization or part of an interconnected supply chain,” they said in the article.
During a security conference in Pennsylvania last year, numerous security officials also stressed the importance of educating people throughout your operations.
Hackers don’t necessarily go to the most sensitive material, which is more closely guarded. Instead, she said, they troll networks in low-level areas to detect vulnerabilities they can exploit on their way to tapping into more critical data.
“People are the weakest defense. Focus on how you respond and help the workforce understand actions they can take to prevent attacks.” Cathy Beech, the Chief Information Security Officer at Children’s Hospital of Philadelphia
During that same seminar, it was also advised that education needs to go beyond IT employees and managers.
“Assess your current environment through a cross-functional team that includes accounting, legal, IT. You should listen to different perspectives, which helps find vulnerabilities.” Nancy Horvath, a Deputy Chief Information Officer of Bucks County in the Philadelphia Area
- Invest in automation. Hackers are getting more aggressive, more persistent, and more successful, as the recent WannaCry attack demonstrated. That’s why many companies are taking the step to invest in technology that paves the way to automated responses to cyber attacks. According to Check Point, a security company, companies will increasingly rely on artificial intelligence and data to identify patterns behind threats before they happen — leading to exposure of new cyber attack campaigns.
- Use basic antivirus software. It may seem obvious, but it’s important to use what’s already available in the form of antivirus software that’s designed to protect your company against viruses that already have been identified. Don’t neglect to implement this as one of the most important frontline attacks against viruses. Keep in mind that antivirus software covers the most common threats. Unfortunately, as experts keep pointing out, it’s a battle to keep up with the different and new varieties of malware that keep erupting on a daily basis.
- Implement a practice of regular and safe backups. When you have numerous backups, you can retrieve your files without having to pay a hacker to release your files — which is never recommended by security officials. With regular backups, you can avoid the risk of engaging with a criminal, but at the same time recover critical information.
- Maintain patches and updates. As with the WannaCry ransomware attack, the hackers were able to target systems because of failures to update systems with a patch released by Microsoft several months earlier. If nothing else, the attack should serve as a grave reminder of the importance of keeping up with those type of security updates. According to reports, the virus specifically targeted computers using the outdated systems, Windows XP, and Windows 7 and 8. Although Microsoft had stopped servicing those systems, the company released a patch to address the outbreak.
With the threats by cyber criminals looming larger than ever before, it’s critical that companies take significant steps to be on guard. As many officials say, it’s not a matter of who will be attacked; it’s only a matter of time.