pixel_dreams - Fotolia

Five steps for business after WannaCry cyber attack

WannaCry reveals some important facts about our dependence on the internet and IT

The global WannaCry ransomware attack has highlighted that cyber attacks are not the responsibility of the chief information security officer (Ciso) but of the organisation and its leaders, who must actively gauge their IT dependence and invest in the risk treatment options that best match their business.

Stakeholders must now assess the short-term effects to profits or margins to pay for risk treatment and resilience, which are vital investments for the overall longevity and health of the organisation.

There is a misguided view that information risk is a technology problem to be managed by the information security and IT functions. 

There are many extremely talented people and professionals working on the front lines of cyber and information security who consistently give of their best, not only day-to-day, but also in times of crisis. Their efforts should be applauded and recognised.

The challenge of securing organisations and societies goes beyond the resources of these professionals, their governments and the small pockets of deeply technical experts that analyse the threats. Everyone must respond to this growing threat.

The indiscriminate nature of the WannaCry attack demonstrates that every individual can be a target whatever their sector or organisation. Well-publicised breaches of shopping, email and other providers have given criminals easy access to current email addresses, often the gateway for attacks, including WannaCry.

Further, the sheer number and variety of systems used in any industry means that an attack will always be likely to succeed at some level. The presence of unsupported applications, operating systems and other software – often required for valid operational reasons – only raises the probability of success for an attacker.

Security education essential to business

Digital-savvy, cyber awareness – call it what you will – is a societal and educational requirement and should be taught to as many individuals as possible as often as possible.

Business leaders and boards, who currently struggle to assess and manage information security and cyber risk, must recognise that their organisations need to be more resilient. This means investing in both stopping attacks and the necessary redundancy to keep going.

All businesses, their customers and their employees rely on the information, systems and software that underpin the products, services and processes now driving our economy.

Information risk must be recognised as anything that contributes to undermining, interrupting or stopping operations.

In the current landscape, business must anticipate interruption from cyber attack and develop the ability to keep the lights on, customers served and essential activities going in the event of an incident, whether caused by malicious intent, accidental activity or force of nature.

Five areas to develop security

It is not enough to defend against attack – businesses must take a proactive approach to cyber security. This means it is necessary for cyber risks to be better understood and managed.

The following five areas of development can be pursued to begin the process:

    1. Work with information security professionals to look at information risk in the context of the business and the wider implications for customer service, public relations (PR) and reputation – and not just as a technical issue.
    2. Communicate the identified information risks from a business perspective – not necessarily financial – that expresses clearly the harm to a business should a malicious or accidental incident occur. The risk treatments that can be put in place given the resources, and the residual risk to the business, should be clearly stated and updated as the business changes.
    3. Establish a dialogue, grounded in the terminology of risk between business leaders, IT and information security. Business leaders should regularly and actively challenge IT and information security leaders on information risk and its business impacts – and not just accept that technology can solve the problem. This is a two-way street: as much as information security leaders can push this dialogue, business leaders must give the time to listen, comprehend and discuss these risks.
    4. Deepen business leaders’ understanding of risk – and information risk – as they relate to how technology is changing the way that the business operates, the business’s dependency on that technology and where these changes are leaving the business vulnerable. This is a governance responsibility to be aware of and managed, as is the case with all risk.
    5. Include cyber and information security into the design and development processes in your organisation. Security requirements should be a consideration from idea through to design, development, engineering, testing and production of any product or service built, produced or bought by the business. Designing, or specifying, security into products and services is cheaper than adding it on later, while addressing the proliferation of new vulnerabilities that arrive with the current pace of technical innovation.

Read more about WannaCry

Read more on IT risk management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Such BS. What you need is a credible OS from a credible company that actually developed theirs first, rather than sitting back and ripping off Apple while jumping in bed with "security" sw companies and advertisers and anyone else that will pay them a dollar to rip you off. Security is non-existent on Windows and Android rip offs. If you had a Mac, you know this. Finally, the extreme BS about how it's not an IT problem? Get over your insane excuses and posturing! IT are in bed with posers at MSFT to rip you off, foisting MSFT for Google's latest cut corner Apple rip off on you while you end up paying FAR MORE than if you bought a real Macintosh or iPhone from Apple. The only reason you are posing this as a management or business problem is because it's hard to imagine a bigger screw up that IT is directly responsible for, so you DEFLECT and make it everyone's problem!!! It's instead, a direct result of listening to lazy IT goons who never recommend a decent product because then you'd realize their scam--you don't need them so much as you need a decent vendor/provider who actually develops and TAKES RESPONSIBILITY for the hardware AND software.
Well it's too late now... Most of the world is on the Microsoft platform so we ALL need to deal with it because it will affect everyone of us directly or indirectly in some way shape or form, regardless of what type of equipment/device and software you have. In the end, thigns liek this always becomes IT's problem, regardless of how or where an infiltration got started. No amount of end user training or social paradigm shift is going to prevent attacks from being successful - at least to some extent. Possibly through ongoing training we can help to slow these types of things down to some degree but that's all we can do. So, yes - it totally lies in IT's hands to find and implement solutions to mitigate the loss once it happens and that does mean IT needs to be proactive in ensuring that WHEN it happens to an organization (and it likely will) that they have all the proper policies/procedures etc... in place to deal with it and to keep the business ball rolling. So, yes, the business leaders do need to understand that this is now going to have to be an additional cost that will simply become a part of the IT landscape for all organizations going forward. They have to embrace this and ensure that the organizations IT department has the $'s and resources available to implement solutions. It's easy enough to say that if we all had apple equipment/devices we'd all be free from this but that wouldnt be the case. The biggest bang for the buck is always to target the equipment/software that is most widely used and that is MS and android. Why bother spending any effort to target the little guys??  So, if apple was at the top, you can bet that they would be getting hit just as hard...