The WannaCry ransomware attack of May 2017 cost the UK’s National Health Service (NHS) over £100 million and the cancellation of 19,000 appointments. The ransomware also caused chaos for the French motor industry and German railways. A report by the National Audit Office (NAO) said, “The WannaCry attack was relatively unsophisticated and could have been easily prevented by the NHS following basic IT security best practice.”
Ransomware hijacks vulnerable computers, holds the user’s files and data hostage by enforced encryption until a ransom is paid to release it. WannaCry targeted computers running older versions of Microsoft Windows operating system. However, Microsoft had spotted the threat posed by WannaCry and released a security patch in March 2017. Nevertheless, many systems remained unpatched two months later, allowing WannaCry to spread rapidly across the globe. In the end, WannaCry infected over 230,000 computers in a 100 countries.
To pay or not to pay?
Once infected by ransomware, an organisation has just two options. You can pay the ransom and trust the cyber criminals to release your data. You can refuse to pay, and rely on your backup systems to restore your files and data. Of course, if you don’t already have a robust data backup and disaster recovery plan then you are in trouble. Just a month ago, two Florida towns hit by ransomware attacks agreed to pay hackers $1.1 million (£875,000) to recover their data. In a news report by the BBC, Florida officials said they felt that paying the ransom was the most efficient way of regaining computer access. Once again, lack of basic IT security precautions left these two towns vulnerable to attack and exploitation.
Punished for poor security
In most cases, all the disruption and expense of a ransomware attack is avoidable. However, a failure to implement the most basic cyber security precautions can also mean massive fines and public ridicule. Just a week ago, British Airways and Marriott Group were fined a combined £282 million by the Information Commissioner’s Office (ICO) under the EU’s General Data Protection Regulations (GDPR). In the case of British Airways, the Magecart hacker group compromised its website. They managed to steal the credit card and personal data of 380,000 customers over a two-week period. In a statement, the ICO said that British Airways had “very poor security arrangements” at the company.
Prevention cheaper and easier than cure
The common thread that runs through all these news stories is that most cyber attacks and data beaches are avoidable. In cases where an attack is not preventable (zero day exploit), having a proper backup plan will help minimise disruption and accelerate recovery. The reason companies like Modern Networks bang on about patching for known vulnerabilities and replacing old, unsupported systems is the next WannaCry is already out there.
BlueKeep is a security vulnerability discovered in Microsoft’s remote desktop protocol (RDP). BlueKeep has the potential to devastate computer systems by allowing hackers to spread malware remotely. This means a hacker will not need you to open an email, download something or click on a link to infect your computer. Instead, they will simply drop the malware directly onto your computer. Microsoft publicly announced a security patch back in May of this year. Nevertheless, it is estimated that over a million computers remain unpatched and vulnerable worldwide. If your organisation is running older, unpatched versions of the Windows operating system such as Windows Vista, Windows XP and Windows 7 then the clock is ticking. It is certain that someone somewhere is already writing the malicious code that will enable them to exploit BlueKeep.
The importance of IT Policy
To avoid becoming the next victim of a ransomware attack or data breach, ensure that your systems are up-to-date and security patched regularly. As the towns in Florida recently discovered, having robust data backups and disaster recovery plans can save you from disruption, embarrassment and financial loss. Of course, patch management and backup procedures should be parts of your organisation’s overall IT policy. Today, even the smallest firms rely on computers, email and the Internet to do business. An IT policy provides clear processes and procedures that everyone can follow to ensure the proper use of technology and protect data privacy. To neglect IT basics is to invite disaster.
Download a PDF copy of this article to read later and share with colleagues.
Sources: Computing.co.uk, The Hacker News, ZDNet, Silicon Republic, BBC.com
Images courtesy of Pixabay and Vicki Burton