ESET Ireland

What does the WannaCry attack mean from the point of view of the organizations’ overall risk?

In principle, ransomware is far from new. However, this attack has shown that the scale of a ransomware attack can be really massive. Using new attack vectors, the crooks behind the attack managed to deliver the malicious payload to higher number of victims.

Seeing the unprecedented scale, organizations should learn that the long-known threat of a malware attack has gotten much more immense. In response, C-level executives and directors should make sure infosecurity is included in the organizations’ overall risk profiles and treated accordingly.

High-level checklist for top executives and directors:

• Is there any specific defense against this particular attack?
  However, general malware protection techniques are enough, if properly executed.
• In the light of the WannaCry attack, should we shift our IT security focus or even invest more in IT security?

Not necessarily. If you comply with IT security regulations and best practices, you are reasonably safe against malware attacks of this kind.
However, as launching a global-scale attack is quite easy now, reckless IT departments and users face bigger risk than before.

• Which are the key security measures to prevent attacks like WannaCry?
  Have your systems fully patched, endpoint and network security solutions employed and up-to-date and staff aware of risks – and your malware infection risk will be close to zero. For mitigation of the remaining risk, have functional backups of your systems and data.
• On top of security measures – do you recommend buying an insurance policy to mitigate IT security risks like the WannaCry attack?
  While IT security insurance might be reasonable under rare circumstances, it’s really unnecessary in the case of WannaCry-like malware attacks. Read the fine print under your insurance contract: if you meet all the mandatory prevention, you’d be pretty safe and thus don’t need any insurance.
• Our Board mandates us to strengthen our security against attacks similar to WannaCry. What particular measures should we consider?
  Think along this attack’s structure.
  It’s a malware attack. Here, make sure your endpoint security solution is a reputable and multi-layered one. For example, ESET is not aware of any its client falling victim to WannaCry.
  As for the attack vector, WannaCry gets spread via exploiting a known vulnerability. Naturally, a patch management solution is the right answer.
  As an additional measure, test your ability to recover your systems and data from your backups. (If you don’t have a comprehensive backup strategy and solution, this is the very first item on your To Do list.)
  Keep in mind, however, that these measures cover only risks related to ransomware and other malware attacks. To mitigate other IT security risks, you need further measures, i.e. encryption and authentication.
• What questions should we ask our CIO/CISO in response to this attack? And how can we hold him/her accountable?
  Key questions specific to WannaCry and other malware/ransomware attacks are:
  • Are our systems up-to date and with all available patches implemented?
  • Do we have a security solution installed and up-to-date on all our servers and endpoints?
  • Does each of our employees know about risks associated with phishing? Do we test their ability to deal with suspicious email attachments and links?
  • Do we have a reasonable backup strategy? Is our ability to recover key systems and data from backups periodically tested?

As for holding CIO/CISO accountable, make IT security part of both CEOs and Board’s agenda. Have the responsible person reporting regularly in person. And, as a part of your IT security strategy, settle on a reasonable IT security dashboard and have it updated on a daily basis and accessible anytime by your C-level suite.