1. Don’t click on links or attachments. Hardly surprisingly, it would appear that none of this happens if the virus does not get a foothold when launched through a user's clicking of a link in an email or infected e-mail attachment. Yes, yet again, people are the root cause of the issue. Now, I am not suggesting we can ever be 100% secure or that we will ever be in a time when phishing doesn't work. In actuality, it is the other way around. Some phishing e-mails are so expertly crafted, even the best of us click. No, that is not my point. My point is that security awareness training, including teaching employees and citizens that cyber risks will never cease, remains one of the most productive ways to mitigate risks from cyberattacks. Train, train, train. And then verify. One employee may be the difference between staying in business and going offline….forever.
2. Update and patch your systems. Indeed, the vulnerability exploited by WannaCry was a known issue, for which a patch has been available since March of 2017. So, the systems could have been patched if the users had simply run the latest updates (manually or automatically). This would have protected a large portion of the Windows systems currently infected. However, companies and individuals put off running updates, likely because of the disruption in their work it takes as most updates required reboots. We have all clicked through those messages. Another reminder not to do so. Taking 5 minutes to patch is better than taking 5 days to recover your hard drive.
3. Get off outdated platforms. During a panel this past week, I mentioned the risk of running outdated systems. I shared how I continue to be amazed at how many systems still run Windows XP. This is an operating system that is nearly 17 years old! However, many companies and products still run XP, including Britain's National Health Service. While it is always fun to talk about the "workhorse" of operating systems and its longevity in a disposable/upgradable world, keeping such dinosaurs around has real risks. Those risks can make the money saved by using an outdated system a mole hill compared to the costs of responding to the security risks they present. WannaCry just made that point again. According to Krebs on Security, "Microsoft issued a patch to fix this flaw back in March 2017, but organizations running older, unsupported versions of Windows (such as Windows XP) were unable to apply the update because Microsoft no longer supplies security patches for those versions of Windows." It is not a sin to be a slow adopter of technology. Indeed, I recommend such an approach to avoid security flaws in newly released (and untested) platforms. However, a solid data governance and security management program includes long-term planning (strategically and financially) for the next system and the risks to be avoided.
In closing, I don't mean to oversimplify this latest attack. Indeed, these attacks are always complicated and find ways to exploit their victims differently. And this is to say nothing of the alleged role of the NSA in keeping such exploits around for its own use. No, this is a tangled web to unravel. The threat is real and complex. You can never have perfect security, but you can do a lot to minimize the most common risks. These risks are not just the risks to your hard drive and operating systems, but could come in the form of litigation or regulatory action for failure to implement reasonable and risk-based information controls. Companies and citizens, alike, would be well served to start baking the basics of data privacy and security into their day-to-day operations. Like Windows XP, the risk is never going away.
