Wavestone: Four key lessons from WannaCry ransomware attack
As the media attention to the WannaCry attack is renewed, amid reports of the new NotPetya ransomware hack which has had major implications across the world as well as across its epicentre in Ukraine, Wavestone’s cyber-security team have identified four central lessons for every organisation to boost their cyber-defences.
The ransomware attack that impacted more than 200,000 devices in over 150 countries, known as WannaCry, sent a tidal wave through the cyber-security landscape. Earlier in the year the UK government came under increasing scrutiny for its approach to cyber-security, after it emerged the hack had made use of notorious weakness in antiquated Windows software. NHS systems had been neglected as part of a state-wide cost-reduction programme. And while the Prime Minister and NHS Digital had previously stated they were unaware of compromises in patient records resulting from the attack, Home Secretary Amber Rudd later confirmed data “may” have been lost. In a statement following the hack, Rudd also confirmed the NHS would finally upgrade its software in the wake of WannaCry.
Since then, businesses across Britain have also been seen ramping up their defences, with a Willis Tower Watson report showing 54% of organisations have added/enhanced cyber-insurance coverage in the past two years, while 36% plan to do so in the coming two years. Respondents were also keen to comprehensively train employees on cyber-security risks, 53% in past two years and 52% for coming two years.
In the fallout of the unprecedented hack – which encrypted files on computers world-wide before demanding payment from users – consulting firms have been quick to table suggestions for companies who remain fearful of becoming future victims cyber-crime. UK-headquartered consulting giant EY issued a six-point plan organisations could use to protect themselves and reduce the impact of future ransomware attacks. While boards were urged to lift their organisations to the appropriate level of cyber-resilience by the world’s fifth largest professional services firm BDO.
Management consultancy Wavestone have also made cyber-security of clients a key priority in coming years. Matilda Malmgren, a consultant at the firm’s UK office, stated in a recent interview with Consultancy.uk that following a period of team-expansion at the UK office, “We're now consulting on projects in additional areas of the IT landscape including cyber-security and digital working, and taking further advantage of the wider capabilities of our parent organisation.”
Utilising that global capacity and expertise, the UK cyber-security team have published a wide-ranging piece, to pick out four key lessons from the colossal WannaCry and NotPetya ransomware events.
Key lessons from the WannaCry ransomware
Firstly, for organisations actually impacted by the incident, Wavestone’s advisors suggest that the event could have simply been avoided by following a received wisdom in the security sector, “ensure you migrate your unsupported estate (e.g. Windows XP) and apply security patches”. While the firm cite this as basic security, it is something that the UK government and NHS Trust completely failed to do, along with a number of other organisations. This shows why these migrations, patches and updates need to be taken so seriously.
Secondly, further to this in the short term, organisations may need to ensure that they are “safe” from this attack vector. Florian Pouchet, Head of Cybersecurity and Digital Trust at the UK office of Wavestone warned, “There will likely be other malware variants exploiting the same vulnerability in the coming weeks, so it’s important to protect your organisation first from the known vulnerability.
The third lesson presented by WannaCry is that as businesses close out these loopholes, the new exploits and zero day vulnerabilities will be sought, with ransomware attacks potentially becoming more complex in nature, and more frequent in occurrence. Therefore, organisations are advised to always be prepared for a potential “cyber-crisis”, with staff and executives encouraged to prepare “war games”, involving the full C suite, to prepare for the real thing.
Finally, in the mid-term, even for the most security mature organisations dealing with limited/ constrained budgets, the key issue is assigning the correct priority to actions like “legacy migration” and “patch management”. Researchers here advocate that organisations should choose their battles wisely by assessing the risks and prioritising actions to mitigate the most critical risks first. To address that issue, Wavestone recommend organisations to take a holistic and risk-based approach, prioritising the effort on their own “crown jewels” i.e. major critical systems. Applying that advice to the recent hack, companies should understand that losing the unsupported Windows XP estate would risk critical parts of the business processes, hence requiring an urgent action plan to mitigate that.
According to Pouchet, the global WannaCry attack was yet another reminder that these risks are not just hypothetical alert scales which can be flippantly categorised as Red/Amber/Green on a periodic basis. “These are real risks that can and will occur if we don’t take them seriously and they will impact on our daily lives. On a practical level they could prevent us from getting a doctor’s appointment when we need one or cause delays in operations or critical surgeries, as experienced in this attack,” he concluded.
A recent study found that the total costs of cybercrime have soared to $280 billion last year.