In the world of cybersecurity—particularly for small- and midsize businesses—progress tends to be achieved in fits and starts. Rare is the SMB that has the patience and focus to take a methodical approach to improving network security over an extended period.
So when news of the WannaCry outbreak grabbed the mainstream media’s attention recently, fear among SMBs spiked and attention turned to cyber issues. However, just as quickly, it seems, the pendulum appears to be swinging back toward complacency for all too many companies.
That shouldn’t be the case. Let’s consider five prominent WannaCry takeaways businesses of all sizes should pause to consider. These notions hold especially true for SMBs that can’t afford to have their reputations gouged, much less sustain material monetary losses, from a major network breach:
- Patch management. WannaCry took advantage of a vulnerability in the Server Messaging Block, a particular part of the Windows operating system. Microsoft had released a patch back in March, but not everyone had applied it, particularly on older Windows XP systems. You’d have to have a substandard patch management program in place to miss a critical security patch for two months, and those were the companies affected.
- Software inventories. WannaCry pummeled organizations using old or pirated versions of the Windows operating system, since those are systems that tend not to be patched automatically. All businesses can reduce their risk by knowing what applications and versions are in their networks. SMBs need to ensure that unauthorized copies of business applications are not present. The good news is that proven applications are available that can inventory the operating systems and business software your company regularly uses.
- Backup, backup, backup. Want to know the top three ways to beat ransomware? Back up to the cloud. Back up to the cloud. Back up to the cloud. What’s the best way to defeat ransomware if you are uncomfortable backing up to the cloud? Back up somewhere else that is off your network.
- Consider cloud security. Trusting mission critical data and processes to a cloud service provider still makes many company decision-makers very nervous. They’ll say: “I don’t want to trust a cloud provider with my data. Those guys get attacked all the time.” While that may be true, the reputable cloud service providers, by now, know what’s at risk and have made the investment in quality defenses.
- Breach response planning. A good breach response plan would not have prevented infections from WannaCry; but it would have speeded recovery. If everyone in the organization knows where to go and what role to play in getting the network back to normal, expensive downtime can be minimized. A robust breach response plan needs to be in place, tested and accessible to key players.
All organizations require a robust patch management program. Guidance is available from the National Institute of Standards and Technology, under NIST standards 800-53 and 800-60. And the SANS Institute, a private cybersecurity think tank and training center, has put together helpful pointers in SANS’ Framework for Building a Comprehensive Enterprise Security Patch Management Program.
Those organizations that had a readily available backup ready to go could simply delete the encrypted files, restore the good backup, sweep their networks for malware, and get back to business. We have seen that process take 15 minutes. There are many providers who will back up your data, usually for under $1,000 per year.
If you are one of the companies unsure about whether you were patched properly, whether you had good backups, or whether your response plan was going to be effective, then the reputable cloud services providers that deliver these types of services are doing better than you are. It may be time to look into moving functions like email, office automation and customer resource management to the cloud.
These notions were true well before WannaCry. And they bear repeating in the aftermath of this landmark, self-spreading ransomware attack. No doubt there will be more lessons to learn, going forward. One thing seems assured: Sophisticated attacks designed to breach business networks indiscriminately are with us to stay.