2017 has already seen two major virus-based cyber-attacks, both of which have resulted in far-reaching consequences for the organisations that were successfully attacked. The attacks in question were derived from the so-called ‘EternalBlue’ exploit, believed to have been originally developed by the American National Security Agency (NSA), presumably as a tool for surveillance and / or infiltration.
Is there a trend emerging here? Extrapolation in this context is fraught with danger. Malware developers will undoubtedly try and derive more attacks from the original source, but as these are discovered and fixed, they will move to other exploit sources.
When (not if) the next attack comes, it may utilise a totally different exploit and delivery method, and the type of impact might cause permanent destruction of data as opposed to temporary unavailability and ransom demands. On the other hand, it may result in the complete denial of service to an organisation’s external connectivity. Whatever the possible outcome, organisations should be taking steps to secure their systems and maintain their cyber business capability.
The problem that faces us is that what has been created by a technical revolution can also be attacked by technology, and as events have shown, organisations both large and small can be brought to a virtual standstill in a matter of hours.
Organisations that do not take their corporate responsibilities seriously soon find themselves in confrontation with an authority such as a sector regulator or HMRC. Why then do the same organisations feel that they can disregard the consequences of poor cyber security?
Some organisations see cyber security as purely an expense on the balance sheet - that is until they are attacked, and the true cost becomes apparent. Good cyber security is an asset, not only to the organisation concerned, but also to its customers and stakeholders, since it enables the organisation, its customers and stakeholders to continue to undertake business.
In the main, these attacks were successful because the organisations affected had either not upgraded their operating systems software from unsupported versions, or had not kept their antivirus software and security patches up to date. Attackers will inevitably exploit the gap between the time when security patches and antivirus definitions are released and the time when organisations implement them, so it is critical to keep these gaps as small as possible. Reducing this window of opportunity reduces the risk.
In traditional thinking, risk is composed of impact and likelihood. I submit that where cyber-attacks are concerned, it is pointless trying to assess the likelihood of an attack occurring, since if an organisation has not already been the target of an attack, it will be; and if is already has, it will be again. Risk in this context therefore has a direct relationship with impact, and the organisation’s focus must be to reduce the likelihood of an attack being successful.
In May 2017, the UK National Cyber Security Centre (NCSC) published a statement on the first of the two cyber-attacks, and made the following three-point recommendation to organisations:
- Keep your organisation's security software patches up to date
- Use proper antivirus software services
- Most importantly for ransomware, back up the data that matters to you, because you can't be held to ransom for data you hold somewhere else.
I would add a fourth recommendation to this list (and would probably make it number one):
Don’t run any business-critical application on an unsupported operating system. Upgrade to the latest supported version.
Remember - lessons in life will be repeated until they are learned.