WannaCry highlights 'unintentional insider' threat

The devastating effect of cyber-crime upon industry has once again been played out on a global stage, this time in the form of the WannaCry ransomware.

At the heart of this incident, as with a high percentage of all cyber attacks globally, lies human risk and the mistakes that individuals make. The WannaCry attack highlights three examples of the “unintentional insider” threat:

• Failure to quickly and successfully patch an existing vulnerability;
• Lack of effective employee cyber awareness leading to possible clicking on suspicious links/opening unknown or unexpected attachments within emails; and
• Ineffective back-up policies and procedures within an organisation.

Malicious actors understand that technical defences and controls rarely fail and to physically and successfully “hack” or “crack” your way into a complex network can be difficult and lengthy. While not confirmed in the WannaCry attack, social engineering – predominantly phishing or spear-phishing emails –is a tried and tested technique. In getting an individual to make the mistake (clicking on a link within an email or opening a malicious attachment etc) you can bypass the technical controls in place. Without doubt the hacker(s) would have known who or where to target, and would possibly have had a good appreciation of network infrastructures (and who had not instigated the patch).

Though IT – and to some degree the risk function – is seen as leading cyber strategies, other functions have a more direct role in protecting the enterprise than many organisations realise. The vast majority of cyber incidents are ultimately initiated by employee behaviour, so understanding gaps in talent and enterprise capabilities is critical to assessing cyber risk.

The continued technical advancement of hostile actors in cyber space, combined with the almost instantaneous speed in which they can develop and deploy malicious payloads or launch denial-of-service attacks, is also a serious concern. As global organisations rely on interconnected systems and networks for their day-to-day operations, the dependency on IT often comes at the price of security. A failure to address the cyber risks they face and a reluctance to adequately resource and finance their IT or cyber security teams, will result in the continued targeting of vulnerable organisations by malicious hackers.

The most recent global cyber-attack and the resulting publicity have reinforced the importance of increased regulation in this area. There are two significant pieces of legislation - The EU General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.

EU NETWORK SECURITY DIRECTIVE

In addition, the UK government confirmed in its Cyber Security Regulation and Incentives Review published in December that the EU’s Network and Information Security Directive (NISD) will be implemented in the UK.

In light of the UK’s vote to leave the EU there was speculation about the government’s intention to implement the NISD, however, the review provides clarity around the UK’s implementation plans. The NISD will have to be implemented into national law by 9 May 2018.

The directive will impose obligations on the providers of “essential services” and “digital service providers” (DSPs) to take appropriate measures to ensure the security of their network and information systems and manage the impact of cyber “incidents” so as to minimise interruption to services.

Organisations will, moreover, be required to notify such incidents (not merely personal data breaches, as in the case of the General Data Protection Regulation - GDPR) to the national competent authority or computer security incident response teams without undue delay.

In the case of DSPs, if the incident is likely to have a “substantial” impact on the provision of the digital services in question and if it is likely to significantly impact the continuity of the essential services.

A crucial distinction between the NISD and the GDPR is that the directive’s notification obligations extend beyond personal data breaches to cover cyber incidents, including outages affecting the provision or continuity of services.

In the same way that the GDPR is understandably expected to increase demand for data protection insurance, so the NISD is likely to drive companies’ appetite for other cyber insurance covers.

The US experience has shown us notification requirements resulting in cyber incidents entering the public domain are likely to increase the volume of third-party claims.

It is therefore essential that the C-Suite and boardrooms look beyond the well-publicised GDPR to the NISD. Creating a practical awareness strategy that effectively communicates the cyber threats facing their business, stakeholders and customers and, crucially, provides actionable mitigation techniques, should be high on the agenda of all organisations.

Malicious actors understand that cyber security, both at a personal and organisational level, is only as good as its weakest link. This is often us – the human. As companies across the world look to make increasing use of automated and “connected” services, there must also be a comprehensive awareness package in place to assist individuals, as well as smaller businesses with limited budgets for IT security, with the security of their data and offer staff training and cyber awareness. Organisations need a fully integrated, comprehensive plan that emphasises people, capital and technology protections to effectively manage cyber risk across the enterprise and ensure resilience.