Lessons to be learned from last month’s global WannaCry ransomware attack
Technology risks are ubiquitous and inescapable both for business and our personal lives. Awareness of such threats is better than it has ever been, particularly from a corporate and risk management perspective, but serious vulnerabilities remain.
These were demonstrated starkly and on a global scale during May’s WannaCry ransomware attack which affected around 250,000 computers in 150 countries. Screens were locked, data encrypted and users were given an onscreen ransom note demanding payment via Bitcoin or risk losing files permanently.
The incident was unprecedented in terms of its magnitude and impact. While most major organisations were relatively unscathed several – including Spanish telecoms company Telefonica, FedEx, Deutsche Bahn and the UK’s National Health Service – did suffer breaches.
None of those affected were targeted specifically, instead the attack was launched via a vulnerability within the now unsupported Microsoft operating system Windows XP, which was first discovered by the US National Security Agency. Microsoft released a patch in March to counter this but organisations and individuals who failed to apply it were left exposed and many were hit by WannaCry two months later.
The initial rapidity of the attack was slowed significantly by security experts who located a so-called “kill switch” but new iterations appeared subsequently which bypassed this and have continued to infect machines.
The WannaCry attack was widespread and sparked a media frenzy but it was still relatively small in terms of impact when compared with the so-called Doomsday scenarios some predict could still happen where critical infrastructure is deliberately targeted. While the identity of the perpetrators is unclear - there are suggestions that professional criminal gangs or even a rogue nation such as North Korea were behind this incident - it was not a concerted effort to bring business or even governments to their knees. WannaCry was more frustrating than fatal.
Nonetheless there are plenty of lessons to be learned from the event which can be applied by risk professionals and their businesses to make them better prepared to withstand a more potentially damaging incident.
Eireann Leverett, senior risk researcher at the Cambridge Centre for Risk Studies, said the WannaCry ransomware event was “not unprecedented, or unpredictable” but he did agree it was significant as “the most recent and popular ransomware event.”
Leverett said that the cyber risk industry should note that “it came with many warnings” – not least the release of patch MS17-010 by Microsoft.
“The community may be getting a wakeup call but it seems to have gone to voicemail the first five or six times,” he said.
Martin Borrett, chief technology officer, IBM Security Europe, said the true cost and extent of the WannaCry attack “won’t be known for a while yet” but it was “vitally important for all organisations to look to this as a learning opportunity”.
Even companies not affected needed to reappraise their approach to cyber security in the wake of the attack. Knowledge is improving but there are still major gaps in understanding. Better cyber education was fundamentally important, said Borrett.
“IBM surveyed more than 700 C-level executives on cybersecurity and found that many business leaders are confused about the true nature of cybersecurity threats and how to effectively combat them,” Borrett said. “Ultimately, it’s going to be down to those with the knowledge of this area in educating others, ensuring that they are equipped to understand the risks and make informed decisions on cybersecurity. With this education and attitude of business risk prevention, companies will begin to have security engrained in the core of how they operate. This is when we will start to see some real change to counter the professional and motivated criminal side to the connected world.”
That view was also endorsed by FERMA President Jo Willaert who said company executives had a vital role to play in terms of a coordinated and coherent response.
“The worldwide cyber attack illustrates clearly that the management of cyber risks should be an enterprise-wide project directed from board level within a sound governance framework,” Willaert said.
“It also shows us that private sector organisations, suppliers of critical IT infrastructure, governments and security agencies must collaborate to build resilience to ever-shifting cyber threats.”
To reinforce the point Willaert said that FERMA was undertaking an “important” cyber security initiative in cooperation with the European Confederation of Institutes of Internal Auditing. Later this month [June], at the European Parliament, it will publish a series of recommendations for organisations on creating robust cyber risk governance.
InsurTech pacesetter and risk consultant, Stephen Cross, the former Aon chief innovation officer, said the root cause of cyber vulnerability was much more basic – complacency. It was, Cross added, a concern not exclusive to this particular risk but instead part of a wider pattern which caused exposure.
“We repeat the same mistake over and over - and that is to shut the stable door after the horse has bolted,” Cross said. “So many previous disasters exhibit such similar patterns, as in: problem identified, warnings made, matter ignored, massive catastrophic incident occurs, time passes and pattern repeated. Examples include: Hurricane Andrew wipes out massive areas of southern Florida and later the well documented issue of shoddy building standards and code gets addressed.
September 11 2001 was not the first time the World Trade Center was attacked. [After 1993] The terrorists waited another eight years and came back with a different plan but the same objective. The problems of New Orleans were well documented yet only addressed after the floods.
“Cyber attacks occur by the thousand every day. These are well documented and are large scale and cross border. They can be indiscriminate in approach or highly targeted. We all know the risk yet so many choose to still believe it won’t happen to them. Risk complacency is everywhere. It’s regrettable, but it’s a reality and the vulnerable get identified, targeted and potentially destroyed.”
Reducing cyber vulnerability is not challenging in its basic form. Helen Carpenter, portfolio lead, liability and cyber at RSA, outlined a number of “simple but effective steps” to cut the chances of a business being caught out by an unsophisticated attack [see box]. But, she warned, there were “no fail-safes when it comes to cyber security”.
“Businesses should still consider how long they can afford to be without their systems, or how costly a data breach could be, and that goes for both financial and reputational damage,” Carpenter said. “Once they have established their appetite for cyber risk, they can then look at using cyber insurance to transfer any exposure over and above this limit.”
Leverett said how insurers responded to the WannaCry attack was important. “The cyber insurance industry is quickly realising their exposure to silent and affirmative covers around these issues,” he said.
“They may choose not to pay out affirmative cover on the grounds that people did not apply the patch, but that only applies to affirmative cover and not silent risks. In the future, studying the rate and scale of patch deployment in different timescales will be crucial, and not just on Windows machines. The software diversity of the internet is key to understanding the harmful potential to such debates, and it is a continually changing landscape.”
Leverett said insurers should consider working more closely with groups and individuals he called “volunteer defenders of the internet” such as “Malware Tech” [the online name of the individual who discovered the WannaCry “kill switch”] and the Computer Emergency Response Teams communities FIRST and TF-CSIRT. Their prompt action “significantly reduced the rate of ransoms, and also increased the speed of the clean-ups”, Leverett said.
Kenneth Dort, partner at law firm Drinker Biddle, said the WannaCry attacks should have little impact on insurers as most of those affected were unlikely to have been insured.
“Entities that do not take reasonable steps to protect their data through patching or regularly backing up data, would very likely not have gone the extra step to obtain cyber insurance as they are likely already tightly controlling IT costs,” Dort said.
“Further, entities that are not updating and patching would probably not be able to pass a baseline audit from a cyber insurance carrier. As a result, cyber insurance would likely have not been a consideration for many of the entities who were victimised by the WannaCry attack.”
Most experts agree that WannaCry was a timely wake-up call to an issue that can only get worse. Unless effective action is taken on an ongoing basis, businesses may not be so fortunate next time.
“While ransom is the choice of monetisation for the terminally and economically incompetent, we can expect to see it again soon,” said Leverett. “We’re just lucky attackers haven’t learned more subtle ways of monetising with such tools.”
SIMPLE STEPS TO MORE EFFECTIVE CYBER SECURITY
● Ensure your computer’s operating system is fully up-to-date and that you are using commercially-licensed firewalls and anti-virus software. It is a must to patch these regularly, too. Many attacks come from criminals exploiting known problems with software, but regular patching can reduce or eliminate this risk;
● Think before opening any emails you did not expect and do not open attachments unless you are certain of the contents;
● Back up, back up, back up – if you can recover your files from a backup, you cannot be held to ransom for those files. Having a copy of your data – and in particular, your most important data – means you can be back up and running much faster, limiting downtime and minimising reputational damage. Although you can’t stop a cyber event happening, having a secure backup of your data stored separately prevents it from having a catastrophic effect on your business;
● We recommend following the NCSC’s 10 steps to Cyber Security, which are simple but effective tips that are published by the UK government. They are a good starting point for any business;
● Staff awareness is critical. Technological defences are important but all too often it is the humans who operate them who open the door. Even simple but regular training around email can help – for example, think before opening emails and especially attachments from people you don’t know, or which you were not expecting. If you can call the sender to verify the contents of the email, even better.