The WannaCry global ransomeware attack exposed a collective cyber security failure.
There was no escaping the cyber security apocalypse that struck the world at around 3pm last Friday when the so called WannaCry ransomware took hold of a tens of thousands of unpatched computers across the World, causing a cyber attack unprecedented in scale.
All major news outlets ran the story, giving almost rolling coverage as it spread and started to cause disruption to major global companies such as FedEx and the UK’s National Health Service.
With minutes the entire cyber security industry, collectively fielded their top experts, consultants and researchers to essentially tell the world that “we told you so” and pointed out that those who are now suffering hadn’t heeded their wise and often repeated words of advice.
Microsoft responded swiftly issuing a software patch to their now unsupported legacy operating systems, Windows XP and Server 2008, which, due to the exploitation of a known vulnerability, had suffered the brunt of this ransomware attack.
We even had Government officials saying how they were committed to improving cyber security across the nation and reassuring the public that the institutions that were now crippled would continue to operate with pens and paper and a good old ‘can do’ attitude.
But nobody has said, and I don’t expect them to say so, that this is a collective failure between business, government and I hate to say it, the cyber security industry. All three would be well placed to hang their heads a little bit and realise that like a child who has not done its homework they are all in trouble – but there is no need to cry, maybe just a bit of self-reflection and humble reconsideration of their role in fighting this very 21st century crime wave.
The UK government started to pay attention to cyber crime in 2014 with their Cyber Essentials scheme. This scheme encourages organisations to adopt good practice in information security. At its heart, Cyber Essentials has five technical controls that if implemented would prevent up to 80% of known cyber attacks. This scheme was then, as it is today, completely voluntary and by any measure its uptake and adoption across the business community has been poor.
What could be seen as almost a companion to Cyber Essentials is The General Data Protection Regulation (GDPR). This EU regulation comes into full effect in May 2018, just 12 short months from now, and legislates how companies and organisations implement security and governance measures around the data that they hold. Those who suffer data breaches or loss, after GDPR comes into force, will be subject to potentially heavy financial penalties in the form of fines. However, this message doesn’t seem to be getting through to business leaders, and from what the IT press is reporting it appears that there is a general lack of urgency on becoming GDPR compliant.
The cyber security industry would also benefit from a bit of self-reflection. For years, their marketing strategy has been “there is an unknown boogieman out there who will steal your data, or stop your computers working without warning, but if you buy our product / service / expertise then we can stop that happening to you”. Fear is not a good motivator for any business, especially when they must balance so many other requirements for expenditure and investment. Businesses have responded to the cyber security industry with a “we will do something about it when it happens” approach.
I’m not denying that selling cyber security products and services is challenging but I hope they will restrain from now using this WannaCry ransomware attack as a validation that their approach to selling their products and services has been right all along; I don’t think it has.
As for businesses, if you have been caught with your legacy software unpatched, unsupported and unprotected, then I’m afraid you only have yourselves to blame. I feel for all the IT managers out there who are now desperately making requests for additional expenditure to upgrade all legacy systems, to reinforce their pleas for staff to receive ‘good cyber hygiene’ training and to get cyber security accepted as a business risk comparable to health and safety.
Government, the cyber security industry and businesses need to work far better in cooperation with one another to start to turn the tide against the criminals, but how?
The government can take a stronger stance and seriously consider that additional legislation may be needed to ‘force’ the seriousness of cyber security into the public conciseness. And they could ‘lead from the front’ getting all public bodies, including the NHS, to obtain Cyber Essentials and to comply with GDPR well in advance of next year’s deadline. If this attack shows them anything, then it is that they are very poor at taking their own advice regarding cyber security and data protection.
Businesses need to re-evaluate their internal IT provision and commit to obtaining Cyber Essentials and meeting the requirements of GDPR long before it comes into force. They need to make cyber security part of everyday corporate culture and ingrain best practise throughout every level of their organisation. It’s not an add on, or an optional extra but a necessity when operating in todays hyper connected business world.
And the cyber security industry may want to reconsider how, despite the high calibre of their technology, threat intelligence, consultants and experts, that to date major institutions, such as the NHS, have not fully engaged with them and their recommendations on how to protect against cyber attack and data loss.
Let’s all just try a little harder, shall we? Because none of us need to shed any more real, or virtual tears, over the devastatingly disruptive effects of a cyber attack.