Ounce of Prevention=Pound of Cure: How Organizational Resilience Factors into Maintaining Cybersecurity
About WannaCry Attack- Quite often with cybersecurity, we see what might appear to be a “cat and mouse game”, where the perpetrators (bad guys) attack, and then the cybersecurity establishment (government, private companies, etc.; the good guys) defend and pursue the attack-to plug, patch, and repair the problem after the fact. What we are missing in the picture here is what may not be reported, or underreported, that is how many companies/organizations are unaffected, as well as those who may have been impacted but will not report due to bad publicity.
"This cyber attack, which now looks like it came from the North Korean 'affiliated' Lazarus group, would have been solved by simply allowing computers running Microsoft based operating systems to install the update that would have fixed the vulnerability. With personal computers, most allow this to operate automatically, but with corporate computers this task is generally taken care of by an IT department who often run several versions of Windows behind." - Douglas Graham, CEO, Ideation Inc., and developer of cryptocurreny and blockchain technology
It is interesting that, according to reports, only $50,000 has been paid in ransom. However, we are guessing that this number is way underreported as we have found few like to admit to being victim of some kind of attack just as Nigerian scam victims often deny being victims. Also of interest is whether people will continue to pay ransoms given that, again according to reports, even with ransoms paid no-one has had their data decrypted.
How do organizations get out of the vicious cycle of “Cat and Mouse Games of Cybersecurity”?
The age old saying that "An ounce of prevention is worth a pound of cure" plays well with this situation, so one way to effectively build and maintain organizational resilience on an enterprise level is creating a cybersecurity program that repels and recovers from cyber attacks. This can be done by following the Four Rs of Resilience: Robustness, Redundancy, Resourcefulness, and Rapidity[1]. For this instance let’s focus on just two factors: Robustness and Redundancy.
Robustness is the ability of systems and elements to withstand disaster forces without significant degradation or loss of performance. The simple fix here is making sure all operating systems are updated, including any systems by vendors, home systems that may be used (or prevented from accessing corporate systems) and tertiary systems your organization relies on. More sophisticated solutions such as software defined perimeter (SDP) would also have prevented the attack, by establishing a dark layer and credentialing process, restricting access.
Redundancy is the extent to which systems and elements, or other units are substitutable or capable of satisfying functional requirements, if significant degradation or loss of functionality occur. Regular backups would remove the concern about having your data encrypted as you could just retrieve from your back up.
So in short the most basic of cybersecurity advice - update and backup frequently!
Douglas Graham, CEO, Ideation Inc. and Advisory Council Member at the Katz School, Yeshiva University
Andrew Boyarsky, President of Pinnacle Performance Management and Clinical Associate Professor at NYU and John Jay College (CUNY)
[1] Kathleen Tierney and Michel Bruneau (Bruneau et al., 2003)