Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 (non-paid advertising) spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.
This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.
From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “Acme Co. Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.
I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;
Ransomware is NOT a TECHNOLOGY problem!!
If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.
Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so suck-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.
Harsh? Yes, absolutely, because the basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;
- Don’t keep your important files on your computer – Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters;
- Patching – Your systems would have been immune from WannaCry if you had installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or your PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no longer use/need, and 2) no hidden malware;
- Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse. External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much;
- Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.
So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:
- Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
- Vulnerability Management – where patching sits;
- Incident response – where back-ups sit; and
- Security Awareness Training – self-explanatory
SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.
[If you liked this article, please share! Want more like it, subscribe!]