This could have been a lot less devastating. The news broke on Friday, May 12, that a crypto-locking virus was spreading around the globe infecting "everything in its path." Banners flashed across screens from Dayton to Denmark. "WannaCry" (also known as "WannaCrypt," and "WanaDecrypt") is a virus that infects computers and then prevents the user from accessing the operating system by encrypting all the data stored on the computer. The ransomware asks the user to pay a fixed amount of money in order to decrypt the user's files and allow user access to his or her operating system. The virus was moving quickly Friday, as it featured a common replication feature that enabled it to spread from computer to computer, allegedly affecting companies like FEDEX and government institutions. As the story unfolded, however, we found out that the risk was not as expansive as once thought. For example, it only affected Windows operating systems of certain age and patch level. That is still bad, but hardly a worldwide shutdown as originally reported. Furthermore, we learned that the risk could have been mitigated if people and companies just followed through with some data governance basics and best practices. Here are but three of those practices. None of them groundbreaking, as we have shared before.
1. Don’t click on links or attachments. Hardly surprisingly, it would appear that none of this happens if the virus does not get a foothold when launched through a user's clicking of a link in an email or infected e-mail attachment. Yes, yet again, people are the root cause of the issue. Now, I am not suggesting we can ever be 100% secure or that we will ever be in a time when phishing doesn't work. In actuality, it is the other way around. Some phishing e-mails are so expertly crafted, even the best of us click. No, that is not my point. My point is that security awareness training, including teaching employees and citizens that cyber risks will never cease, remains one of the most productive ways to mitigate risks from cyberattacks. Train, train, train. And then verify. One employee may be the difference between staying in business and going offline….forever.
2. Update and patch your systems. Indeed, the vulnerability exploited by WannaCry was a known issue, for which a patch has been available since March of 2017. So, the systems could have been patched if the users had simply run the latest updates (manually or automatically). This would have protected a large portion of the Windows systems currently infected. However, companies and individuals put off running updates, likely because of the disruption in their work it takes as most updates required reboots. We have all clicked through those messages. Another reminder not to do so. Taking 5 minutes to patch is better than taking 5 days to recover your hard drive.
3. Get off outdated platforms. During a panel this past week, I mentioned the risk of running outdated systems. I shared how I continue to be amazed at how many systems still run Windows XP. This is an operating system that is nearly 17 years old! However, many companies and products still run XP, including Britain's National Health Service. While it is always fun to talk about the "workhorse" of operating systems and its longevity in a disposable/upgradable world, keeping such dinosaurs around has real risks. Those risks can make the money saved by using an outdated system a mole hill compared to the costs of responding to the security risks they present. WannaCry just made that point again. According to Krebs on Security, "Microsoft issued a patch to fix this flaw back in March 2017, but organizations running older, unsupported versions of Windows (such as Windows XP) were unable to apply the update because Microsoft no longer supplies security patches for those versions of Windows." It is not a sin to be a slow adopter of technology. Indeed, I recommend such an approach to avoid security flaws in newly released (and untested) platforms. However, a solid data governance and security management program includes long-term planning (strategically and financially) for the next system and the risks to be avoided.
In closing, I don't mean to oversimplify this latest attack. Indeed, these attacks are always complicated and find ways to exploit their victims differently. And this is to say nothing of the alleged role of the NSA in keeping such exploits around for its own use. No, this is a tangled web to unravel. The threat is real and complex. You can never have perfect security, but you can do a lot to minimize the most common risks. These risks are not just the risks to your hard drive and operating systems, but could come in the form of litigation or regulatory action for failure to implement reasonable and risk-based information controls. Companies and citizens, alike, would be well served to start baking the basics of data privacy and security into their day-to-day operations. Like Windows XP, the risk is never going away.