Last weekend, a virus called “WannaCry” swept through Asia, Africa, and Europe, encrypting the data of thousands of individuals and businesses. Although it demanded a ransom that, if paid, promised the user access to encrypted data, few paid the ransom, and many who did never regained access to their data. It was the largest ransomware attack ever, even though it was stopped before it impacted much in the United States.
Since the attack, I have read numerous security posts about why this attack is just more proof that people and businesses should adopt the security measures those writers had previously published. While I agree with (most) of those posts, I think that the unprecedented nature of this attack creates a different opportunity – to discuss some fundamental lessons that every business owner needs to accept as the modern reality.
Here are Six Lessons You Need to Learn from the WannaCry Cyber Attack:
1) Everyone is a target
When it comes to hacking, I’m fond of the metaphor of the fisherman. When a fisherman is going after a specific type of fish, a lot of preparation and knowledge about that specific fish is needed: what type of pole and line works best, what type of body of water, and where in that specific body of water can the fish be found, how deep should the line be dropped, and what bait is needed?
Most businesses are prepared for hackers who are looking for a specific fish – the “important” data in their systems. Unfortunately, just like in the fishing industry, the vast majority of successful hackers aren’t using a fishing pole, they’re using a net.
Is your office network online? Then you’re a target. Get used to it, and plan accordingly.
2) We can no longer rely on the “honor” of thieves
Why does someone pay a ransom? They believe that by doing so, whatever is being held hostage – whether it’s a person, a tangible thing, or their data – will be released. It’s what the entire system of Ransomware is built on: a very perverse form of trust.
Well, as the FBI has been warning for the past couple of years, the likelihood that you will actually get your data back has been decreasing as ransomware tools have proliferated. However, the WannaCry hackers took that to a whole new level – and may have permanently destroyed the “trust” that ransomware depends on.
Believe it or not, but ransomware is a business, and a highly successful one in certain parts of the world. But for that business to proceed, hackers need to be able to count on receiving your ransom payments. The failure of this system will have two major implications for the future of ransomware in my opinion:
1) Hackers who rely on ransom payments will rely on increasingly more complicated ransomware (requiring multiple payments before data is released or, more frighteningly, relying on ransomware that encrypts hardware rather than data – that’s right, HARDWARE, and it’s coming!); and
2) an increase in the use of ransomware as a disruptive tool, which brings me to…
3) Some people just want to watch the world burn
People were turned away from emergency rooms because someone wanted to cause a disruption, and they didn’t care who it hurt.
There are three main reasons that a hacker goes after someone else’s data:
2) Information, or
The first two types of hackers are the type we know – the first group steals credit card numbers, personal information for identity theft, or ransoms your encrypted data for a payday; the second group are the ones looking for specific information, whether they’re looking for compromising emails, intellectual property, or national security information.
The third group is considerably more terrifying – their only goal is to shut your system down. Occasionally in the past, these types of hackers have been characterized as those like the “Anonymous” hackers, looking to sow chaos. But the truly terrifying groups are those working on behalf of repressive regimes, especially when those regimes appear to have nothing to lose.
Not long ago, Russian hackers hit the Ukrainian power grid. Hackers in Syria have repeatedly disrupted access to media organizations that have portrayed the Assad regime… accurately. It appears that the WannaCry hackers are likely North Korean, and that the hack may have been timed to draw international attention away from their missile launch.
4) Your cyber liability policy needs to cover ransom… as well as when ransom doesn’t work
You probably haven’t thought all that much about whether or not you’d pay a ransom to get access to your data, but your insurance carrier has. They’ve been aware of the threat of ransomware for a long time, and how they’ll respond is right there in your cyber liability insurance policy. But I’d bet you couldn’t tell me how they’d respond, even with your policy right in front of you.
That’s the nature of the beast these days, unfortunately. Your policy needs to cover ransom payments to get your data. Sure, you need quality backups, and it’d be nice if those would work, but it’s not always possible. New variants of ransomware are specifically targeting backup systems. Others (as I ominously discussed above) will encrypt your actual computers or devices, rendering them useless even if your backup is safe.
But your policy also needs to protect you when, also as discussed above, the ransom payment doesn’t get your data back. The most underappreciated cost of a data breach is lost time, and if you don’t get your data back after paying a ransom, your business will be down a lot longer than you anticipated. Will your insurance protect you?
5) It’s the basic, tedious, unglamorous security measures that really matter
Most of us like to put cyber security to the back burner. It’s complicated, outside of our area of expertise, and, to be honest, a little terrifying to constantly think about. So when it comes to our levels of preparation, we like to think that shiny new devices, expensive new software, or an impressive team of IT personnel is the best way to protect ourselves.
Just like anything difficult, the most effective way to do something is to do it right from the bottom up. Your first line of defense against cyber attacks like the WannaCry ransomware is the vigilance of you and your employees. Vigilance requires awareness.
Awareness requires training. Regular training. For everyone. Including you.
It’s not fun, and it can seem tedious. It takes you away from directly working on your business – at least that’s what you argue. But trust me, you’d rather lose an hour every two months than lose two solid weeks because you accidentally clicked on a malicious link in a spear phishing email.
Other basic, less-discussed security measures, such as ensuring your computers and devices are always running the most up-to-date versions and frequently running anti-malware systems like MalwareBytes are critical, as well. In fact, since newer viruses like WannaCry can infect entire networks, keeping your system updated is probably the single best way to protect your computer and devices.
(Check out our 12-Step Program for creating the right Cyber Security Policy for your business)
6) Apple was right… but it won’t matter
Last year, the FBI insisted that Apple unlock two iPhones related to the San Bernadino shooting, sparking a nationwide debate on whether technology companies should engineer ways for governments to view encrypted information. Although they denied it, the government, and those supporting the government’s position, were calling for “backdoors” to be built into software and devices to allow access.
Tim Cook, and cyber security experts all over the world (including myself), objected, pointing out that once you create a backdoor, you have no way to guarantee that only the “good guys” can use it.
The WannaCry hackers, using a tool developed by the NSA to allow access to computers running on Windows, just proved Tim Cook right. If the NSA can’t protect their own secrets and tools – the FREAKING NSA! “Security” is the SECOND word in their TITLE! – what chance does the New York District Attorney’s office have?
Unfortunately, this debate has never been about keeping the data of regular citizens safe. It’s about the power and reach of the government in the name of security. Don’t believe me? Ask yourself this question: why does the government, any government, ask for increased security powers after a catastrophic event, instead of investigating why the powers they granted themselves the last time there was a catastrophic event didn’t work!
The NSA developed a tool that gave them access to vulnerabilities in the Windows operating system. That tool was stolen, and this past weekend was used to shut down computer systems all over the globe, including the British National HealthCare System, German train lines, Chinese colleges, and thousands of small businesses.
But that fact will not stop governments all over the world from demanding new powers of surveillance over their citizens in the event of a terrorist attack.