Lessons learned from WannaCry
By Tim Erridge, 24 May 2017
In the wake of the WannaCry ransomware cyber-attack, which had such a significant impact on the UK’s NHS, amongst many other organisations worldwide, I am mindful of my simple mantra: Know your threats, know your assets, protect what you can, detect what you can’t, be ready to respond appropriately and learn from every opportunity.
I wrote this out of frustration after spending a day at a summit where speakers were talking around problems without giving advice on how to tackle them appropriately – frankly adding yet more confusion and complexity. While cyber security is anything but a simple fix, it is a real-world problem with a plethora of practical solutions. My mantra was penned in an effort to demystify and breakdown information security into actionable component tasks.
If one accepts living in a hyper-connected world, cohabiting with bad guys, much like we accept living with the risk of disease, we can follow similar simple rules to minimise our exposure and avoid unacceptable levels of risk. There is no such thing as 100% immunity, much like there is no such thing as a 100% secure organisation. But, by simply having greater awareness and understanding, you can take practical precautions and be vigilant to spot where your protective measures fall short. This knowledge and vigilance allows you to mount a response that is both timely and of an order of magnitude commensurate with the threat posed. If we catch a cold, we don’t necessarily book in for an immediate blood transfusion for example, unless our knowledge and situational awareness informs us that this is the best course of action, and adequate funding is both available and justified.
Ransomware is ubiquitous right now and so there should have been no surprises that an attack could hit organisations such as the NHS where funding for security measures is scarce. This, combined with a lack of awareness about how exposed its mission critical data and systems were, is concerning where IT outages can result in physical consequences, in this case potentially endangering people’s health. It is laudable that there were no reported consequences of this nature, showing that an operational response process was able to reduce the impact and mitigate the risk. It is a testament to all of the people that mustered and the processes that were no doubt well-rehearsed.
Another consequence of the cyber-attack is that no longer can the excuse “why would they target us?” hold up. “Collateral damage from a non-targeted cyber-attack causes extreme operational consequences” is now a proven and accepted scenario. Often a lack of adequate awareness leads to failure to appropriately prioritise investments in cyber security in many organisations. Without knowledge of the real-world threats and their potential impact on a business’s operations, boards will continue to struggle to set informed investment budgets and direction.
This should be an imperative for all organisations, but the consequences of getting it wrong are most profound where there is a cyber-physical impact that poses a real risk to life. Never mind GDPR fines of 4% of global revenue, demonstrable negligence in this context could surely constitute a criminal offense and result in a custodial punishment.
We should also bear in mind that emerging regulations such as GDPR and the NIS directive are not there just to elicit fines, but to actively encourage organisations to undertake better cyber due diligence to safeguard sensitive data and work towards a more secure digital marketplace.
So, coming back to my mantra to demystify cyber security. Ask yourself if you can demonstrate a clear understanding of your threats and your assets. Have you’ve taken all reasonable efforts to protect what you can and able to detect those attacks you can’t prevent and respond to them appropriately? And are you taking steps to continuously improve across all areas? If you can answer yes to all of these questions, then you are have put yourself in a defensible position, whether to an angry customer, your boss, the board, the shareholders, a regulator or a judge. Ignorance is no defence for negligence but if you’re genuinely doing everything that can be reasonably expected of you, then that’s all that can be asked.
We will all get sick sometimes, but it’s how well we prepare for and deal with it that has a significant bearing on how impactful it ultimately is on our lives.