lolloj - Fotolia

Not all organisations improving defences after Petya

A survey of IT leaders worldwide reveals that not all organisations are planning to improve their cyber defences in the wake of the Petya attacks

Nearly 15% of around 450 IT executives polled by IT governance professionals’ association Isaca said they would not take any further precautions in light of Petya, despite needing to.

The survey revealed that the response to WannaCry was much stronger, with half of respondents saying their organisations had taken new precautions.

Although Petya shared some characteristics with WannaCry and was initially identified as ransomware, researchers later said it was essentially “wiper” malware designed to cause disruption.

Some security commentators said the Petya’s differences from WannaCry meant that organisations should assess their vulnerability in terms of those differences to identify further gaps in their defences as part of a continual improvement approach.

Mike Hughes, board director of Isaca, said although the more mature and forward-thinking organisations had taken extra steps after WannaCry, organisations need to continually reassess in the light of new developments and evolve their security controls and defences rather than rely on a once-off response.

“The lack of response to Petya was slightly surprising, but the results of this poll show that some organisations are still not taking cyber threats of the nature seriously, and somehow think it will not happen to them,” he told Computer Weekly.

According to Hughes, many of the organisations that are in denial are found among small to medium-sized enterprises (SMEs) because they tend to think such attacks are only relevant to large organisations and government and that no-one would be interested in attacking them.

“But no organisations are immune from these attacks, and the important issue is that SMEs are often an important part of the supply chains for larger organisations, so they need to start improving their cyber defences before their larger customers start demanding it,” he said.

Hughes said SMEs should also consider the negative impact on their reputation and business that a cyber attack could have.

Patching regime

Despite the impact of WannaCry and 27% of respondents to the Isaca survey admitting their organisation been hit by ransomware, 76% rated their organisations as “highly” or “somewhat” prepared to deal with such attacks.

The survey revealed that only 23% applied the latest software patches within 24 hours of release, and that more than one in four organisations typically wait longer than a month to apply the latest patches.

“Given the escalating volume and complexity of threats enterprises are facing, placing greater urgency on rapid, comprehensive patching is a critical component of protecting an organisation from the business- and infrastructure-crippling consequences of an attack,” said Matt Loeb, CEO of Isaca.

However, Hughes said although patching across the whole IT estate as soon as possible is a good idea, organisations may want to patch to test machines first to ensure there will be no unintended consequences. “It hasn’t been unknown that some patches cause problems,” he said.

To make patching as efficient as possible, Hughes said organisations need to have good patching regime in place and to know exactly where their assets are and what systems are the most critical to ensure that the most important systems are patched first and that nothing is overlooked, such as mobile devices.

Addressing the weakest link

Although half of organisations said they had taken new precautions in the wake of WannaCry, only 50% of those surveyed had conducted any ransomware training for staff.

Hughes said organisations need to pay more attention to educating employees about the latest threats, because effective cyber security is achieved only through a combination of people, process and technology, and people are often the weakest link.

“You can have the best processes and technologies in place, but if those processes and technologies are not being used correctly by people in an organisation, this will create opportunities for attackers, so the continual education, awareness raising and training of employees is key,” he said.

Hughes said employees can be shielded from many threats by having automated security controls such as email filtering. “But education is necessary so that employees understand the reasons for these controls and do not expose the organisation to malware infection by opening an email that has been quarantined, as often happens,” he said.

The survey revealed that 6% of participants said their organisations would pay a ransom if they were hit by a ransomware attack.

“The problem with making payments in response to these attacks is that it helps drive and entrench the business model for attackers,” said Hughes.

“However, some organisations are forced to pay because they haven’t got a good backup regime to enable them to retrieve their data.”

Expert believes more will ‘jump on ransomware bandwagon’

Finally, the survey revealed 83% of organisations expect further ransomware attacks later this year.

Hughes said those organisations that have not reviewed their patch management processes, and have not tested their ability to restore data from backups, should consider doing so immediately.

“In the wake of WannaCry and Petya, it is fairly likely that others will jump on the ransomware bandwagon to see what they can achieve, particularly as it is becoming easier to do with the availability of ransomware kits that enable people to carry out attacks with little technical expertise,” he said.

Read more about WannaCry and Petya

Read more on Hackers and cybercrime prevention