On May 12, the sort of cyber disaster security experts had warned about for years had finally happened, in its wake compromising everything from corporations to hospitals across the planet. But something else that had never happened started then, too—everyone paid attention. Considering the “numerosity and intensity and geographic spread of the attacks,” Day Pitney partner Jed Davis said, “this is the wake-up call, if people needed one before now.”
And that wake-up call, Davis added, needs to be heard on two fronts: “the need to take control of the overall risk management process, including backing up the crown jewels,” and improving security awareness.
But as with any cyber incident, what remains to be seen is whether organizations will see beyond usual platitudes and heed the advice of cybersecurity and information governance experts. When it comes to basic cybersecurity hygiene, “you can say it a hundred times, but that doesn’t mean people listen to you,” said Alan Brill, senior managing director at Kroll Advisory Solutions. “If this is not a good wake-up call to tell you to [follow security protocol], I honestly don’t know what is.”
While many experts believe the worst of the WannaCry ransomware attacks are over, the malware is likely to continue spreading through computers. And while this particular strain of malware can be halted by a Microsoft upgrade, ransomware has and will continue to cause headaches for companies that many deem unnecessary. So what can organizations do to better secure themselves against such attacks in the future?
Cybersecurity as an Inevitable Component of Information Governance
The attack has been successful because it exploits a vulnerability in Windows, which is the most-used operating system on the planet among desktop and laptop computers. WannaCry served as “proof of concept” of how these types of attacks “can scale exponentially,” said Ed McAndrew, cybercrimes prosecutor and data security lawyer at Ballard Spahr. Thus, it can be a sign of the sorts of attacks we’re likely to see in the future.
“A lot of ransomware attacks, in the early days, were attacks targeting individual end users. What we’re seeing now is system-wide ransomware attacks, server-side ransomware attacks, and they have the ability to cripple entire organizations. So I think every organization should be asking itself whether it’s ready for a system-wide ransomware attack,” he said.
A method for preparation is an incident response plan, i.e. a company’s approach to managing the aftermath of a cybersecurity incident. McAndrew said this should include having game plans for particular scenarios and training employees and incident responders to spot emails and “the types of attack vectors” that introduce malware to computers (e.g., hyperlinks and attachments).
Prepping for Next Time
On the technical side, McAndrew noted the importance of having controls in place that limit ransomware introduction and spreading, such as the “up-to-date patching of systems” like Microsoft’s step to limit WannaCry, as well as a system that utilizes sandboxing—a security practice of separating a program from others for test running—“for anything attached to an email before it makes it to the network.” He also suggested having a plan in place that allows organizations to “pull the plug” on an organization’s computers while having information remain easy to recover so the organization “can get back to business as usual.”
Doing this requires backing up data, a step typically counted in basic cybersecurity hygiene but often overlooked. It “makes the consequence of being locked out of your data much more tolerable if you have a backed up copy,” said Rob Silvers, partner in Paul Hastings’ cybersecurity practice.
In addition to backing up data, there’s a growing movement for organizations to include "defensible deletion" as part of their information governance plans, a strategy defined by Driven Inc.’s Philip Favro as “a comprehensive approach that companies implement to reduce the storage costs and legal risks associated with the retention of electronically stored information (ESI)”.
“Information governance is all about getting a handle on where all this data is to begin with and why it's being kept in the first place, especially given that data is exponentially increasing all the time,” said Jason R. Baron, of counsel at Drinker Biddle & Reath. “But do companies have a handle on where their data is and what could be vulnerable?”
To this end, Baron advised “putting good policies in place” alongside technologies that “help increase the efficiency of the company. With good protocols in place, companies can minimize the risk of harm due to phishing attacks.”
But because ransomware can "take over" a computer until a ransom is met, companies should also consider whether to pay the ransom, and if so, how much they are willing to pay. Perhaps more important is securing the type of currency demanded, given that hackers often choose bitcoin—a currency that doesn’t require a third party for processing and can be immediately transferred. In addition to knowing the exchange rate, organizations should know where they could obtain bitcoins, given that there’s a finite amount of them.
“Have you asked everyone at the organization that needs to be asked, under what circumstances would you pay the ransom?” McAndrew said. “Because you won’t be able to at the last [moment].”
Where Everyone Missed the Mark, and Why It Matters
As with many cyber incidents, many organizations were vulnerable to WannaCry simply because they failed to do what Kroll’s Brill calls “basic housekeeping.” In the case of preventing something like WannaCry, organizations can save much time and effort “making sure patches get installed unless there’s a very specific reason not to do so.”
“You’ve got to have a laser focus on getting those patches in place, getting your immunization level up to where it should be,” he added.
Indeed, incident response team lead and senior director with Kroll Cyber Security Devon Ackerman said, “If everybody played by the patching rule book, [WannaCry] certainly wouldn’t have spread as much.” But Ackerman also noted that companies are likely to see “some revisions or variants of this malware” over the next week or two, noting that at present, there have been about two incidents of newer versions of the malware “in the wild.”
Researchers of such incidents “have found variants where the [malware] code is slightly modified,” he said. This modification has made the malware essentially immune to a current approach to detecting the malware and shutting down the infected network. Thus, Ackerman added, “it just spreads.”
Nevertheless, basic cybersecurity hygiene, such as downloading security updates such as those offered by Microsoft to “patch” previous software vulnerabilities, is increasingly essential to companies, as in some instances clients can hold them responsible for compromised information. This may be particularly true for the WannaCry breach, as Microsoft found its security flaw this past March and, in the same month, issued a security patch that many failed to update.
“This security patch was available in March and was labeled at the time critical by Microsoft,” said Paul Hastings’ Silvers, who was previously assistant secretary for cyber policy at the Department of Homeland Security. “So companies that don’t install that kind of patch and then find themselves in a situation where they’re locked out, and that causes harm to others, may find themselves being sued for negligence.”
Further, when organizations are blocked from accessing their data, this “compromises ongoing business operations, and has a cascading domino effect throughout an organization in terms of its obligations and potential liabilities to other organizations [and] to customers,” McAndrew said. Thus, it could “impact their ability to comply with regulations in place.”
“There are measures that companies simply have to take to protect themselves and their shareholders and their businesses,” Silvers added. “And this weekend the attacks served as a reminder of that.”
Copyright Legaltech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.