The impact of the recent, lethal WannaCry and NotPetya attacks have been staggering with the ransomware hitting nearly 100 countries and some of the world’s largest organisations – who presumably have the financial might and resources to invest in warding off such strikes. And yet, the ransomware penetrated deeply and widely. Three things have come to the fore – no organisation is immune from security breaches; there is no silver bullet for protection; and most crucially, paying attention to security fundamentals is paramount. Let’s look at the core areas:
- Very plausibly, the impact of WannaCry could have been significantly mitigated had the affected organisations patched the EternalBlue vulnerability in Microsoft Windows’ Server Message Block (SMB) protocol. Patching is one of the primary tenets of security. Ideally, patching should be automated, but if there is reluctance in the IT organisation to patching, an education-led, gradual approach is suggested. Perhaps look to put processes in place to patch secondary systems, test patching plans and then roll out to the other systems across the network.
- Segment the network so that in the event of an attack, the section of the infrastructure that is hit can be easily disconnected from the rest to protect the larger organisation. By segmenting the network, organisations may find that in the unfortunate event of an attack, the impact is already significantly mitigated as the portion of the infrastructure in question is already isolated. Today Network Access Control (NAC) and micro-segmentation technologies are available.
- Back-up data. This is essential for any organisation’s business continuity plans. Cyber criminals don’t have an ethics code, research shows that SMEs who pay ransom don’t necessarily get their data back. By backing up data, a breached organisation can be up and running quickly, saving itself unnecessary and unforeseen costs, which could potentially be crippling.
In addition to the near-zero/cost-effective back-up and storage solutions currently available, cloud back-up services are worth investigating. These solutions simplify storage and restoration processes, and offer Service Level Agreements. Again, a well-thought through approach to back-up is best – identify data that is business-critical and establish the necessary back-up processes. Especially from a GDPR perspective, ensure that the organisation’s back-up strategy accommodates a quick way to remove data from the back-ups too, should such requirements arise.
- Time and again events have highlighted ‘people’ as the weak link in security; and cyber criminals are rampantly exploiting this vulnerability too. Training employees to spot that phishing email or that dubious embedded internet link, is vital to protecting an organisation’s business environment. In addition to security awareness training, consider testing the organisation’s security readiness by undertaking phishing simulations. A real-world like experience can be very effective in training employees to constantly stay vigilant too.
How mature is your organisation’s security?
With the fundamentals in places, it’s key to assess the organisation’s security maturity in order to determine the gaps in processes and technologies deployed. It allows the organisation to identify the solutions that need to be overlaid onto the core security measures to mitigate threats. For example, inventorying data, identifying the business-critical assets and creating a threat profile will help determine which data sets are most at risk and what the related vulnerabilities are so that the necessary actions can be taken.
Underlying all this is having the right skillset in place to make the assessments and determine the solutions that will most effectively build up the organisation’s defences. Today there is no dearth of security tools and solutions, but determining what combinations of processes and technologies will deliver the highest level of security requires an in-depth understanding of the internal and external security landscape alongside experience and expertise. Therefore, investing in the right security people is fundamental too.