15 May 2017

Ransomware cyber-attacks: Reduce the threat

Following the recent ransomware cyber-attack, we outline some key steps organisations should take now in order to reduce the threat.

You will all be aware of the ransomware cyber-attack which started early on Friday 12 May and impacted IT systems in over 150 countries, including those of a large number of NHS Trusts. Many organisations have been dealing with the fall-out of this attack over the weekend.

Ransomware is a form of malware that encrypts its victims’ data and then demands a payment to unencrypt. The particular form of ransomware being used in the current attack is known as ‘WannaCry’. This malware was developed using a weakness in Microsoft Windows operating systems, which was previously known and exploited by the National Security Agency (NSA). However, in April, a Russian hacker group obtained details of this weakness from the NSA and made it widely available.

It is important to note that Microsoft identified this weakness in March and issued a software update (or patch) to address it. The organisations particularly vulnerable to WannaCry are therefore those which run on Windows operating systems that have not been patched since March. Organisations running on Windows XP are particularly vulnerable as this is an operating system Microsoft no longer supports and so does not issue patches for.

So what can businesses do? The National Cyber Security Centre (NCSC) has recommended organisations urgently take the following actions, if they have not already:

  1. Download the latest Microsoft patches immediately. Especially MS17-010 released in March which addressed the specific vulnerability that WannaCry exploits (note that Microsoft has now released a patch for organisations that still use Windows XP).
  2. Back-up all data and store this on an offline hard drive.
  3. Install antivirus software to reduce the risk of infection.

The full NCSC guidance on reducing the threat of ransomware, which we fully endorse, can be found on the NCSC website: https://www.ncsc.gov.uk/.

In the case of the recent ransomware attack, the guidance demonstrates that many organisations have had to make decisions around the prioritisation of system upgrades and patching, investment in antivirus, or the backing-up of data, which left them exposed to potential cyber-attack. In our experience, these decisions are often not taken at a level within the organisation that allows senior leadership to be aware of their implications. As a result, the associated risks are not fully understood and discussed outside the IT and security functions.

Those at senior leadership level cannot expect to be individually or collectively sighted on the day-to-day decision making of the IT or security functions. It is therefore critical that, in addition to addressing the immediate recommendations of the NCSC, processes and governance around cyber security are reviewed and, where necessary, strengthened across your organisation. When it comes to making decisions regarding cyber risks, organisations should aim to establish clear standards for staff to follow, allow transparency and facilitate communication across the business.

Our advice to senior leaders in organisations facing significant cyber risks is as follows:

  • Work with your IT team to ensure that critical assets and services that must be protected from cyber-attack have been clearly identified;
  • Obtain assurance that IT policies and procedures, including those covering security, resilience, patching and back-ups, are in place and that they meet the recognised industry standards and are subject to regular review;
  • Facilitate organisation-wide communication in order to enhance security awareness across all staff;
  • Develop and test crisis and incident management capabilities; 
  • Understand the role that third party service providers play within the delivery of IT services across your organisation. Following this, confirm that appropriate contractual and assurance arrangements are in place in order to provide assurance that they are have implemented the appropriate security measures; and
  • Review your risk management activities in order to refresh and enhance your view of IT and cyber risks.

We also recommend that you consider how you ensure you have the right mix of skills and competencies across your senior leadership team and on your Board in order to successfully address the above areas.

If you have any concerns or questions on how to protect yourself from a potential ransomware attack, please do not hesitate to get in contact.

Bookmark and Share