• Print
  • Decrease text size
  • Reset text size
  • Larger text size
06/09/2017

WannaCry Ransomware – A Wake-Up Call for Cybersecurity and Data Management

For many corporations and regulators around the globe, the WannaCry Ransomware attack should serve as a stark reminder of the significance of cybersecurity and data management. In a new digital era, the stakes are higher than ever – corporations and governments can no longer afford to remain reactionary when it comes to cybersecurity.

WannaCry Ransomware – The Impact

As the spread of the WannaCry ransomware comes to an end, the time has come for companies to reflect and evaluate their cybersecurity and cyber-resilience programs. The ransomware spread like wildfire; in a matter of hours, the malware had affected over 100 countries through nearly 45,000 attacks [1]. Latest reports suggest that the malware has now reached over 150 countries and has affected some 200,000 victims, many of those being organizations and businesses [2]. Large, global corporations were not exempt from that list as we saw Telefonica, FedEx, and Renault all reporting disruptions.

Ransomware is a type of malware that can infect your system and then be used to encrypt your data until you pay the “ransom” the criminal demands to give you the data back. The ability of the WannaCry malware to disperse so quickly lied within its unique capability to combine itself with a worm application – a program that replicates itself in order to spread to other computers. Additionally, it should be noted that the malware also spread through more traditional methods such as manually opened email attachments and websites. The release of multiple versions of the malware increased the difficulty for cybersecurity experts to slow the spread and find quick fixes.

The clear takeaway here is that the attack was coordinated and sophisticated, and governments and organizations alike should take note. Many institutions will need to face questions on why their networks were left unsecured. Even institutions that were not affected will likely review their data and cyber policies and procedures to ensure they are protected from similar attacks and prepared for increasingly sophisticated future attacks.

 

What are the Trends – Cyber-Attacks

In 2016, cyber criminals attacked with new levels of ambition. We witnessed international bank heists [3] as well as repeated and targeted attempts to control and shift political landscapes [4]. Attackers demonstrated smarter and bolder tactics, while also becoming more commercialized, organized and less traceable than ever before. In fact, it was noted in the 2016 Ponemon Cost of Data Breach Study that companies can expect a 26% probability of a material data breach involving 10,000 lost or stolen records in the next 24 months.

The increased sophistication and organization of the attackers isn’t the only thing driving the complexity of future breaches. We are approaching a new and transformed digital era - businesses are beginning to embrace digitization and innovative technologies such as the Internet of Everything (IoE) are beginning to take shape. Today, three of the biggest sources of concern relating to cyber-attacks are Mobile Devices, Data in Public Cloud and Cloud Infrastructure [5], which are novel and have experienced significant development in the last 10 years. With digitization, the attack surface [6] expands, as it will provide new doors for attackers to explore and exploit, making the job for cybersecurity experts that much more complicated.

With regard to ransomware specifically, the Annual Verizon Data Breach Investigations Report noted that ransomware attacks on businesses around the world had risen by 50% in 2016 and that consequently, malware accounted for 51% of all cyber incidents [7]. Ransomware rose to become the fifth most common variety of malware in 2016 (up from its modest 22nd place just two years earlier). Perhaps what was most interesting in 2016 was not the increase in ransomware attacks, but rather the fact that there was a significant shift in the attacks’ targets – away from individual consumers and towards organizations and corporations.

The costs associated with cybersecurity attacks are growing. While criminals, on average, demand just over $1,000 per victim (this number spiked 266% in 2016), the cost of being hit by a cyber-attack can be significant for an organization. In 2016, the Ponemon Institute estimated the average cost of a data breach globally to stand at approximately $4 million. The Cisco 2017 Annual Cybersecurity Report further noted that more than a third of organizations that experienced a data breach in 2016 reported substantial customer, opportunity, and revenue loss of more than 20 percent. For example, Yahoo’s data breaches in 2016 compromised more than 1 billion customers and resulted in more than 40 lawsuits. The cyber-attack resulted in a 350 million dollar price cut to the planned $4.83 billion acquisition of Yahoo’s core business [8]. This does not include the tangible and intangible costs that Yahoo had to pay as a result of the breach.

 

What’s Next – Cybersecurity and Data Management

Both in the short and long term, it is likely that the number of cyber-attacks will rise unless individuals, corporations and regulators address the cyber threats face on. Taking steps like ensuring that all antivirus, firewall, application and operating system software are updated can greatly reduce the cyber-risks. The WannaCry ransomware exploited vulnerabilities in an older version of a Windows operating system. Microsoft did notice the vulnerability and released a security patch in March (2 months before the attack), but computers and networks that hadn’t updated their systems remained at risk. Moreover, organizations should offer regular Cybersecurity training to their employees to ensure they are aware of the various risks and methods used in cyber-attacks. 66% of malware was installed via malicious email attachments and 81% of hacking-related breaches leveraged either stolen and/or weak passwords [7]. Training on how to spot suspicious emails, best “password” practices and other steps that should be taken to minimize vulnerability can greatly reduce the cyber risks.

On top of that, businesses should maintain clear data management and classification processes that involve the consistent backing up of key data to offline hard drives. With data breaches and cyber-attacks increasingly more probable, organizations should ensure they are ready for worst case scenarios. This includes having a clear understanding of the data they handle and having disaster recovery plans that enable the business to quickly recover critical data in case of IT failures. As British Airways discovered recently, failure to do so can lead to significant and costly disruptions [9].

Businesses and organizations are not the only ones that need to take action. Governments and regulators need to continue to provide laws and guidance to better deal with the growing threat. On May 11th, 2017, President Donald Trump signed an executive order on cybersecurity with the objective to “strengthen the cybersecurity of Federal Networks and Critical Infrastructure” [10]. Among the priorities outlined in the executive order, President Trump pledged to hold heads of executive departments and agencies accountable for cybersecurity risk within their enterprise. He also pledged for government agency heads, such as Secretary of State and the Secretary of the Department of Defense, to provide strategic options to better protect the American people from cyber threats. It is therefore likely that the United States will see increased focus on regulation regarding cybersecurity in the coming years.

In addition to the executive orders, the government has already taken some initiative in implementing new regulations for cybersecurity. Notably, on February 16, 2017, the New York State Department of Financial Services (“NYDFS”) finalized regulations that mandate cybersecurity standards for all institutions authorized by NYDFS to operate in New York. The Final Regulations became effective on March 1, 2017. Consequently, “covered institutions” (institutions for which the regulations will apply) will need to adapt their cybersecurity programs as well as their policies and procedures to remain compliant. Please see Sia Partners Insights for more info on the proposed [11] and final regulation[12].

In parallel to cybersecurity, we may see a global focus in terms of data protection and management to further counter the risks of cyber-attacks. It should be noted that the U.S. Congress voted to repeal the “Broadband Privacy Rules” FCC order on April 3, 2017, eliminating the need for internet providers to request explicit consent (via an opt-in) for their customers to supply their sensitive data. This though may just be a blip as we are seeing more countries pursuing robust data management regulations. Perhaps most notably, the European Union has begun to implement new laws by agreeing to apply the “General Data Protection Regulation” (GDPR) by May 25, 2018. The stated mission of the regulation is to strengthen and unify data protection for all individuals within the European Union. North American companies should not ignore GDPR, as this regulation could apply to them if they have operations, suppliers, or customers within the borders of the European Union. It should also be noted that companies subject to GDPR that do not comply face fines up to 4% of revenue or €20 million euros.

GDPR will be a significant challenge for all companies. Implementing the regulation will require considerable effort as companies will need to reform the way they store, use, share, maintain, and record personal data. This could have a profound effect on their current processes and systems. It should therefore come as no surprise that in a recent survey of 200 C-Suite Executives from U.S. Companies, 92% of them considered compliance with GDPR a top priority for their data privacy and security agenda in 2017, with over 50% saying it was the top priority. 77% of respondents plan to allocate over $1 million to GDPR readiness and compliance efforts [13]. GDPR Compliance may prove to be onerous, but it could play an important role in a day and age where cyber-attacks are only becoming more numerous and sophisticated.

Conclusion

The WannaCry attack should serve as a stark reminder that cybersecurity will be a major challenge in the years to come. We are shifting into a new digital era, and while this will lead to many new benefits, there will also be many new risks. In order to counter the ever-evolving risks, we will need to see new and continuous improvements in the relevant regulations that apply to cybersecurity and data management. The Executive Order issued by President Trump should aim to accelerate the development of regulations, which historically has been too slow compared to the fast-moving nature of technology. Furthermore, executives of companies, notably Chief Information and Compliance Officers, should bring all their policies and procedures to applicable national and international standards. Companies may look to further prioritize security by restructuring their respective organizations and introducing new roles, such as CSOs (Chief Security Officers), CISOs (Chief Information Security Officers) and CCOs (Chief Cybercrime Officers).

The fact remains that for the majority of organizations and governments, cybersecurity tends to be reactionary in nature. Companies need to anticipate their cybersecurity needs and remain proactive in implementing measures to counter the evolving cyber-threats. Sia Partners has developed strong competencies in cybersecurity and data management, most notably through leading initiatives in the NYDFS Part 500 and GDPR space. Sia Partners is a unique management consulting firm composed of passionate consultants who are able to drive business changes among our customers. 

 

Sia Partners

 

Sources

  • Key Takeaways

    • The WannaCry malware spread like wildfire, reaching over 150 countries and affecting over 200,000 victims, many of those being organizations and businesses.

     

    • The number of cyber-attacks is ever-increasing and cyber criminals are more organized and ambitious than ever.

     

    • Both in the short and long term, it is likely that the number of cyber-attacks will continue to rise unless individuals, corporations and regulators alike address their cyber issues face on.

     

    • To counter cyber risks, corporations should take steps like steps like ensuring that all antivirus, firewall, application and operating system software are updated, provide adequate training to their employees, and maintain clear data management and classification processes.

     

    • Governments and regulators are increasingly opening their eyes to the risks of cyber-attacks and poor data management, and are consequently developing regulations to address these risks, such as GDPR and NYDFS Part 500.

     

    • In a new digital era, the stakes are higher than ever – governments and corporations can no longer remain reactionary when it comes to cybersecurity.
0 comment
Post a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Image CAPTCHA
Enter the characters shown in the image.
Back to Top