Photo of Sheila MillarPhoto of Tracy Marshall

The effects of the massive cyberattack using ransomware known as “Wanna Cry” are still being felt all over the world. Tens of thousands of organizations have been infected, including the UK’s National Health Service, which ran some services on an emergency-only basis the day the attack began in earnest. Some security experts surmise that the virus is activated using a malware worm that, once activated, travels automatically between computers. Businesses with numerous partners and suppliers that connect to their network were especially at risk. If and when Wanna Cry is contained, the attack will fade from the public’s view, but legal repercussions may follow for affected users.

Image of worm reaching up toward nothing in particularWanna Cry, also known as “Wanna Decryptor,” is a hacking tool thought to be developed by the U.S. National Security Agency (NSA). Wanna Cry exploits a vulnerability in Windows operating systems that allows the ransomware to spread automatically across multiple networks. The attack is the first incidence of self-spreading ransomware that cannot be stopped once it infects a network.

Microsoft issued a patch on March 14, 2017, to fix the hole in Windows. However, many organizations failed to apply the patch and found themselves susceptible to Wanna Cry over the last couple weeks. Indeed, in some regions, a large proportion of affected users were using pirated copies of Windows. Unusually, Microsoft has even released patches for such systems.

The damage caused by the Wanna Cry attack was both predictable and possibly preventable. In April 2017, a group calling themselves the Shadow Brokers released onto the web what they claimed where NSA-developed hacking tools (report here). Many security experts predicted it was only a matter of time before the Shadow Brokers’ tools were exploited on a large scale.

There are several lessons apparent at the outset:

First, organizations and individuals should update their systems frequently. Organizations both large and small sometimes wait before applying security patches issued by major software providers. Reasons may include other priority IT initiatives, concerns about the compatibility of specialized or legacy software, a lack of understanding of the seriousness of the vulnerability that the patch is intended to address, or simply manpower limits. The Wanna Cry attack, however, illustrates the importance of implementing patches and updates promptly to avoid falling prey to an attack that takes advantage of the unpatched vulnerability. Businesses should also bear in mind that failure to keep systems updated can result not only in disruption of business, but in the potential for theft of confidential company, client, and employee information, and could lead to lawsuits or regulatory enforcement actions alleging a lack of due diligence. While no protection or patch can be foolproof, systematic application of updates is a key security imperative in an increasingly integrated world.

Backing up crucial files on a separate server is also helpful in case the main network becomes compromised.

All businesses should have a breach response plan in place before an attack occurs, especially in the event of a ransomware attack that paralyzes internal systems and blocks access to data until a ransom is paid. Assessing an organization’s data collection and security practices, assembling a breach response team, and identifying legal obligations, law enforcement contacts, and forensics experts before an event occurs can help ensure an effective and timely response if, despite precautions, a company becomes the target of a data breach or ransomware demand. Regular training for directors, employees, and contractors is also important to raise awareness throughout the organization and mitigate risks. Automating updates and patching through your system can also help.

You don’t want to wait for the next wave of attacks to plan to protect your business, your employees, and your customers.