Another month, another ransomware attack, and thousands more computer users in major organisations around the world discover their data is locked up and held to ransom as a result of malware.
The economic and reputational cost to those organisations has not been quantified, but it would easily be in the tens of millions as their operations ground to a halt. Add in to that the physical dangers when health care, transportation, infrastructure or nuclear power facilities are compromised, and the gravity of the attacks is clear. And if that isn't enough, regulators will be looking at those organisations for their compliance with data protection rules.
So what can you do to protect yourself?
Background: how did WannaCry and Petya spread?
Although there are some differences between the two attacks, the Petya malware attack targeted the same vulnerability exploited by the WannaCry malware attack in May.
WannaCry spread via a known vulnerability in Windows (WannaCry was effective only on machines which had not been patched using the Microsoft update, which was available in March). Initially it seems it attacked an exposed vulnerable SMB port, and then spread via infected attachments in email, and scripts in hacked websites inserting malicious links. A crucial part of its success was its ability to find vulnerable systems, get access, and then install and execute a copy of itself, so it could propagate itself. It affected around 200,000 computers in 150 countries, and a total of US$126,000 was paid in ransom (although whether all the systems were then unlocked is another question…).
At the time of writing it appears that Petya was created on June 18 and first propagated via fake software updates that appeared to be from a reputable source. Once in, some versions launch a second piece of malware, Mischa, in case Petya did not deploy.
Petya does not have the same worming ability as WannaCry, but worryingly it can spread on local networks, and once into them it can then spread to patched machines. It is not simply locking data; it can also, for example, harvest passwords.
Although a ransom message appears on affected users' screens, Petya cannot reverse its own changes. For this, and other reasons, there is speculation that Petya was an act of cyberwar; if it was, it simply shows that collateral damage is not limited to physical wars).
What are the cyber security risk factors?
Cyber attacks don't spread unless the conditions are right, which usually means a combination of weak protections or systems and individual mistakes or inadvertence.
Some of the known risk factors include the technical shifts towards increased connectivity, the internet of things, and cloud computing.
At an enterprise level, the risk factors include:
- systemic failure to implement patches;
- poor corporate governance;
- under-investment in IT. This could be because you are an SME or anyone with cash flow pressure (or pressure on dividends or cash back); and
- the practical difficulty in transitioning to new systems, or running custom software with patched systems, without business interruption (a problem that particularly affects large organisations such as manufacturing or hospitals - one of the organisations worst hit by WannaCry was Britain's National Health Service).
Getting ready for the next cyber attack
WannaCry and Petya are the harbingers of future attacks to come - at least a dozen other NSA tools are being repurposed, it's believed.
If that's not incentive enough to take action, there is increased regulatory pressure, both here in Australia with the introduction of mandatory data breach reporting, or from next year the EU General Data Protection Regulation will next year increase fines on careless companies.
And of course, we should all be expecting a hike in cyber security insurance premiums.
So what should you do?
As an immediate action, review physical and cyber access to your systems. How easily can they be accessed? Do you block dodgy email attachments? Have you left the back door open by using bolt-on systems such as Google docs?
The first and simplest thing you can do is ensure your organisation has good physical security.
You should also maintain and improve your cyber security training and compliance. This could also mean, for example, embedding cyber security as part of the employee handbook, to emphasise the importance of complying with the organisation's cyber security rules.
The bigger, long-term actions require not just an acceptance that you can't skimp on old unsupported systems, but on strategic review and upgrading of your systems with a minimal impact on your operations.
It's trite to say "patch your known vulnerabilities", given the operational challenges some organisations have with legacy systems, compatibility with custom software, and the costs of taking systems offline. If they are not patched, however, and your operations are disrupted, you not only lose production, but could trigger indemnity clauses in your contracts with third parties, and those costs will be greater.
Any patching of your systems should be done in a structured and systematic way to minimise compatibility issues and the impact on your deliverables, and also avoid triggering any legal obligations in your supply contracts.
A related issue is to consider what you allow into your system. Be careful about unsupported software and the ubiquitous USB device. Viruses and other harmful code can be introduced by USB.
If you decide to upgrade, build system transition into your cost planning. This can include dual systems running in parallel as part of the transition. While phased implementation costs more, you will also be creating more check points for you and your IT supplier than you would get with a big bang implementation.