By Martin Lipka, Head of Connectivity Architecture, Pulsant
Cyber attacks aren’t new. The risks they pose to organisations and to individuals are well documented. In May 2017, the cyber threat landscape shifted. What began as a seemingly small-scale event turned out to be a massive cyber attack that affected hundreds of businesses across more than 150 countries.
Dubbed WannaCry, the ransomware attack took advantage of a Windows vulnerability to infect hundreds of thousands of computers. The most prominent victim in the UK was the already-beleaguered NHS, with more than a third of its trusts in England affected, as well as 603 primary care and other NHS organisations, including 595 GP practices.
Hospitals were in chaos. Appointments cancelled. Operations postponed. The impact on patient care, trust and the NHS’ reputation was unquantifiable. And it all could’ve been so much worse if a cyber-security researcher hadn’t found a solution – a kill switch to stop WannaCry locking devices. The only thing is, the solution was found accidentally because the hackers had been sloppy. Will we be as lucky next time? The odds might be against us.
Fast forward a year and what have we actually learned from the attack?
#1 The basics matter
The one thing that became clear as quickly as a day after the attack is that the cyber security basics actually matter. Having basic processes and practices in place – like applying patches, installing updates, having malware protection – puts your organisation in a better position to mitigate risk. Yes, there is a lot more to cyber security than the basics, but having this foundation in place allows you to build on it and address other more specific threats to your business.
#2 Patching is important
Expanding on the importance of having cyber security foundations in place, patching is and remains absolutely crucial to keeping your organisation safe. The vulnerability that WannaCry exploited was a Windows issue – one that was identified by Microsoft who released a patch for it almost two months before the attack.
In short, if the NHS had applied the patch to its IT infrastructure in a timely fashion, the WannaCry debacle could possibly have been avoided.
#3 Everyone is a target
The ransomware virus attacked organisations indiscriminately across the globe including Telefonica, Renault, Deutsche Bahn, FedEx, Nissan, and the Bank of China. And those were just the high-profile names. That’s not to mention the hundreds of thousands of computers from hundreds of companies that didn’t make the news headlines.
Many cyber security professionals live by the adage that it’s not a case of if an attack will occur, but when. And it’s true – partly because cyber attackers and their methods are growing bolder and more sophisticated, and partly because there is so much that could go wrong. Organisations need to pay attention to the overall cyber security picture, start with the basics (implement a risk management framework like the government-backed Cyber Essentials or IASME Standard) and build out a comprehensive defence strategy from there. WannaCry was definitely a wake-up call for many businesses, large and small, but it’s up to those businesses to listen and apply the lessons learnt.