Held to ransom – WannaCry fallout

In the wake of the WannaCry global ransomware attack, Rob Horgan asks industry experts what needs to change to prevent it from happening again .

It can’t be ignored. And it shouldn’t be swept under the carpet. In the words of Microsoft vice president Brad Smith, May’s global WannaCry ransomware attack must be a ‘wake-up’ call for governments and security officials around the world. Smith went so far as to describe the attack as the equivalent of ‘the US military having some of its Tomahawk missiles stolen’. It must – as Smith argued – be the catalyst to changing the current internationally accepted blasé attitude towards cybercrime. 

And governments can rightly be criticised for not providing adequate funding. Education schemes can be rolled out to provide greater understanding, but the Channel also has a responsibility and an important role to play. Developers, vendors, distributors, security experts and all facets of the Channel beyond have a duty of care to its consumers to convince the world to take cybersecurity seriously. Never before has the consumer needed looking after as much as now. 

But how do you go about solving a problem that hit an estimated 200,000 victims in at least 150 countries over just one weekend? In reality a number of things need to happen now. 

The main thing is a change in attitude. A survey by SolarWinds recently revealed that 87 per cent of IT executives consider their cybersecurity robust. That is despite 71 per cent of those same executives suffering a security breach in the last 12 months that resulted in a ‘tangible loss’. In the current state of play, financial loss at the hands of cybercriminals is seemingly considered inevitable. And yet, only 16 per cent of those surveyed consider training staff in cybersecurity as a priority. 

As BullGuard CEO Paul Lipman explained, the speed at which the WannaCry bug wormed its way into the NHS and then across the globe demonstrates the staggering number of organisations that simply do not take cyber security seriously. “If anything the attack has revealed that an awful lot of organisations simply don’t take cyber-security that seriously. You have to ask why? What is required before organisations understand the risk?

“It exposed the government’s willingness to compromise on security to save money by pulling the plug on a Microsoft support contract and hand over the responsibility to cash-strapped trusts.”

The problem with many organisations – including the NHS – is that they are running on outdated, unsupported Windows XP systems. 

For many, the cost of updating their systems was seen as an unnecessary expense and so security took a back seat to revenue. As Jean-Frederic Karcher, head of security at Maintel, said: “Organisations are continuing to rely on aging computer systems that do not use the latest security features. Indeed, NHS hospitals are using very old legacy systems – often Windows systems over 10 years old that have not seen any patches and are therefore extremely vulnerable to such attacks. Honestly, this attack should not come as a surprise to the security community.”

Lipman believes that it is this cost-cutting attitude that needs to change in order for organisations to take cyber security more seriously.

“One of the consequences of living in a world that is overwhelmingly driven by commercial imperatives is that revenue and the bottom line is king. This means all else is subsumed in the drive for profit including cyber security,” he said. “It’s only when organisations realise that cyber-attacks can inflict damage on the bottom line and destroy reputations and careers will it be given the focus it needs.”

A staggering two-thirds of UK businesses have no official Ransomware policy in place, according to research by Timico and Datto. By this time next year, new General Data Protection Regulations will be in effect across Europe to hold company’s to account for losing customer data. If the security risk wasn’t enough to put organisations in gear, then the threat of fines may do the trick. 

Tom van de Wiele, security consultant at F-Secure Cyber Security Services, believes that organisations need to be greater incentivised to increase security measures. “While there are merits to claim governments could do more to force security on vendors, providers and operators, there is also need to carefully consider what failures in the incentive models have led to this present situation,” he said. “Is it commercially rewarding for companies to pay little attention to IT and automated security? Is it a pure compliance issue? Has the buyer and outsourcer any responsibility whatsoever?”

Another school of thought is that organisations simply don’t know what cyber security really is. John Pagliuca, SolarWinds MSP general manager, said: “People are confusing IT security with cybersecurity. The former is what companies are talking about when they think about readiness. However, what they often don’t realise is that cybersecurity protection requires a multi-pronged, layered approach to security that involves prevention, protection, detection, remediation, and the ability to restore data and systems quickly and efficiently.” He added: “The overconfidence and failure to deploy adequate cybersecurity technologies and techniques at each layer of a company’s cybersecurity strategy could be fatal.”

After pouring more money into cyber security, raising awareness and understanding what cybersecurity actually is, the final piece of the puzzle is enforcing regulations. Smith wants connected products (be it laptops, computers or smart watches) to pass through a security test mark, similar to industry standards set within the toy or food industries. 

Cyber security expert Mark Skilton at Warwick Business School believes that a cyber equivalent of the UN needs to be established to deal with the threat of online crimes. “This attack has shown there needs to be a cyber police force at a global level to help manage these escalating threats,” he said. “My research has found a need for a global legal system to govern the internet.” 

Whether a cyber police force is the answer, or even feasible, remains to be seen. What is for certain is that a change in attitude from governments, organisations needs to be supported and promoted by the Channel in order to tackle the ever-growing rise in cybercrime.