WannaCry, hitting hundreds of thousands of computers, was the most widespread ransomware attack in history. The crypto-worm exploited a vulnerability in the Windows operating system – a vulnerability that was actually detected and patched two months ago – encrypting victims’ data and then demanding ransom payments.
A more recent ransomware attack, dubbed “NotPetya” or “Goldeneye,” emerged as a malicious attack that wouldn’t actually release files upon receiving ransom payments. Businesses across the world have been told they have two options: either pay per affected device (which may not even be a solution) or lose all data.
Once the root cause of a cyberattack is identified, organisations often dismiss associated vulnerabilities, deeming them irrelevant to their business and operations. This mode of thought is dangerous, because fundamental mistakes made by one organisation are very rarely unique. The widespread nature of WannaCry, for example, is a major wakeup call that is galvanising organisations into action.
As a direct result of the WannaCry and Goldeneye attacks, many companies are realising that a security department, in-house cybersecurity experts, and internal policies do not by themselves provide adequate protection. Without effective governance to tie processes and resources together, organisations expose themselves to preventable – but undetected – vulnerabilities.
Ransomware, like other forms of cyberattacks, is entirely preventable with good governance and integrated risk management processes. Effective governance is achieved with centralised monitoring – used by senior leadership and the board to make informed strategic decisions – and the corresponding processes of operationalising front-line policies.
The technology and resources needed to avoid ransomware and similar attacks is already owned by most companies; the governance to connect and sustain them is not.
An integrated risk approach, which can’t exist without strong governance and board oversight, is needed to understand the overlapping vulnerabilities between departments. Each should be held to the same high standards, and should also be accountable for the process component it is closest to.
>See also: How to minimise the impact of ransomware
Meeting strategic goals such as maintaining a strong cybersecurity program is dependent on sustainability: the ability to use automation and delegation to implement and monitor policies using existing resources. The purchase of new security applications and hardware is not necessary to prevent surprises before they happen.
The consequences of bad governance are manifold, and the same root cause of WannaCry – poor governance and operationalisation – is responsible for myriad corporate scandals in recent years. Failures including those seen at Wendy’s, Dwolla, Ashley Madison, and Target would not have occurred if those companies had governed themselves more responsibly.
How does good governance improve cyber security and prevent surprises?
The biggest lesson companies should learn from the WannaCry ransomware attack is that becoming a victim is entirely preventable. Enterprise risk management is about more than simply identifying new risks that need to be addressed. It also closes the otherwise ubiquitous gap between policies and everyday operations.
If organisations’ security teams simply received automated alerts to force computer restarts across the company at predetermined intervals, for example, the Windows patch from March would have been implemented. This in turn would have sealed the vulnerability used by the WannaCry crypto-worm.
There are multiple steps that can be taken to mitigate the risk presented by cyberattacks of any kind. These steps can all be performed manually within a short timeframe, but long-term, sustainable protection can only be guaranteed with the adoption of a centrally managed (i.e. integrated) risk-based approach.
The most basic protection, whether against ransomware or malware that actually corrupts data, is off-site backups. Best practice for backup frequency and scope varies by industry, and senior leadership should collaborate with security to identify minimum standards.
Once these standards are outlined by a formal internal policy, standard, automatic notifications should be used to remind security to verify execution of the backup. If this process occurs consistently and on time, all data will be retrievable even if the organisation is hit by an attack. It’s imperative to use a risk-based approach to prioritise data; monitoring and testing should be applied first to organisational data that supports critical functions.
Companies must also design and maintain business continuity and disaster recovery (BC/DR) plans. As with data backups and applications, devices, and software, BC/DR plans must be tested and optimised at regular intervals.
Designing a plan without regularly testing the ability to implement a “clean recovery” is akin to designing another internal policy but not making sure it is actually followed. In other words, a BC/DR program is not operational without regular testing, and it’s highly unlikely a company with such a program will recover from an attack within the required time period.
Automatic notifications are an easy way to ensure assets (software, hardware, applications, etc.) receive patches and updates on a timely basis. As mentioned above, the WannaCry attack could not have proceeded had companies been more proactive about something as simple as forced computer restarts at periodic intervals.
Vulnerabilities are often detected by the “right” people before they are the “wrong” people, but unless fixes are implemented in a timely manner, the risk goes unmitigated. Notifications mitigate risk by eliminating the possibility of human error.
Access rights should also be closely monitored and managed. The principle of least privilege, by limiting employees to the access rights they need to perform their jobs effectively, preserves efficiency while limiting vulnerability.
This process begins by implementing and enforcing password complexity and change requirements, then following up with asset management. Asset management – determining which applications, devices, and other resources require access rights protection – can only be accomplished if security is able to collaborate with other departments such as finance, which is most able to provide a master list of all resources in the company’s budget. These rights need to be defined and updated regularly; security must have a way to engage all managers and front-line supervisors.
The access rights process is a good example of why governance plays such an enterprise-wide role. The Wells Fargo sales scandal, in which millions of bogus accounts were created and charged to customers, was partly a result of failed access rights management.
>See also: UCL hit with zero-day ransomware attack
The sales team at any organisation should have the ability to activate new accounts, but not access to sensitive customer data. Senior leadership’s failure to detect and fix this issue was a direct contributor to the creation of accounts. A risk-based approach would not only have helped uncover the problem, but would have helped management mitigate the vulnerability before the scandal happened.
With good governance, closing the gap between senior leadership’s strategic goals and everyday activities becomes the key to long-term success. With an integrated, risk-based approach, organisations can reduce both their exposure to threats like ransomware and get ahead of security incidents before they happen. This allows the organisation to make better use of existing assets rather than committing more budget to new security technologies.
Sourced by Steven Minsky, CEO of LogicManager
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here