This spring marked a significant turning point regarding worldwide cyber aggression. The massive ransomware attacks on May 12 began in Europe and spread across the world infecting over 300,000 computers in more than 150 countries. Those infected were confronted with messages to pay $300 in bitcoin to unlock the files on the infected computer.
The hackers were playing the percentages that some number of computers would not be properly patched. They were not targeting any specific companies or individuals There was no bias whatsoever — if the computer was connected to the internet, it was fair game. A significant amount of corporate cyber defenses were found to be lacking during the attack, and improvements need to be made.
{mosads}The attack was enough to make you “WannaCry,” which is the namesake of this insidious ransomware. The WannaCry episode presents a tremendous learning experience. Businesses across various industries learned that daily operations could be pervasively and negatively impacted by a cyberattack. Gas pump electronic pay systems would be disrupted, automotive manufacturing processes would be crippled or halted, hospitals would need to reschedule patient surgeries, and power generation utilities would have interruptions.
Many business leaders learned that their software patch management was behind. Additionally, many were surprised their backups didn’t work as planned, and their incident response planners didn’t have a playbook. There were also constraints that further contributed to the damage: lack of investment, lack of controls, or plain old apathy.
Although cyber defenders were mostly able to disarm hacker’s attacks, hackers are constantly creating variants that will be harder to detect, and perhaps costlier to the public and private sector. This type of malware has exceeded just nuisance and embarrassment — it is translating into serious dollars.
The insatiable appetite for better, faster, cheaper, and connectivity is our collective “new normal.” Cyber threats are becoming more numerous and damaging with every device that connects to the internet. The Verizon’s 2017 Data Breach Investigation Report illuminates how damaging attacks are for a company. Cyber risk is a business risk that has managerial, operational, financial, legal, and technological dimensions.
Technology changes faster than all the other dimensions, making it difficult for businesses to adapt to it. We’ve been trained to deal with catastrophic loss by reviewing business continuity plans and getting the right insurance coverages. That said, these strategies or tactics need to be revisited or updated to understand the appropriate mitigations to protect your company from a cyberattack. Insurance is a logical risk tool, but it doesn’t fix your cybersecurity posture. People, processes, and technology help you do that.
Do you have the right people, processes, and technologies to protect your business from cyber threats? A good place to start is to review the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which has become a benchmark for what to do both nationally and across the globe.
Additionally, there is complementary guidance from the National Association of Corporate Directors (NACD), Information Systems Audit and Control Association (ISACA), and the Institute of Internal Auditors (IIA) on how to elevate cybersecurity to your company board’s governance agenda.
If that is too much to consider, review the Center for Internet Security punch list of 20 critical information security controls to determine not only are they in place but whether they are being done well enough. There are no silver bullets for cybersecurity. These frameworks do nothing for your organization if the company is unwilling to accept it has some gaps that will require a plan of action to close them.
The corporate world has demonstrated with previous attacks that it is not adequately prepared in regard to cyber defense. Cyberattacks will only increase, and the hackers will become more sophisticated. Thus, it’s vitally important that businesses ensure their assessments, vulnerability scanning, training, and incident response plans are functional and up to date.
Norman Comstock is a managing director at national accounting firm UHY Advisors with more than 25 years of experience in strategic consulting services. He advises clients on cybersecurity, enterprise risk management, and information technology governance.
The views expressed by contributors are their own and are not the views of The Hill.