Quite often with cyber security, the public sees what might appear to be a game of cat and mouse: the perpetrators (bad guys) attack, then the cyber security establishment (government, private companies, and so on; the good guys) defend and try to plug, patch, and repair the problem after the fact. What we are missing in this picture—what may not be reported, or underreported - is how many companies and organizations are unaffected, as well as those who may have been impacted but are hesitant to admit this and risk bad publicity.
The latest example of this is the WannaCry attack, which now looks like it came from the North Korean-affiliated Lazarus group. This attack would have been defeated if organizations simply allowed computers running Microsoft-based operating systems to install the update that would have fixed the vulnerability. With personal computers, most users allow this to operate automatically, but with corporate computers this task is generally taken care of by an IT department that often runs several versions of Windows behind.
It is interesting that, according to reports, this ransomware attack - which claims to encrypt all of users’ files and offers a payment-based decryption service to restore them - has only generated $50,000 in ransom. However, it is our guess that this number is severely underreported; we have found few people like to admit to having been a victim of this kind of attack, just as users affected by Nigerian scams often deny being victims. It’s also interesting to speculate whether people will continue to pay any ransom given that, according to reports, no one who’s paid the ransom thus far has had their files decrypted.
How can organizations break this vicious cat-and-mouse cycle? One way to effectively build and maintain organizational resilience on an enterprise level is creating a cyber security program that repels and recovers from cyber attacks, following the Four Rs of Resilience: Robustness, Redundancy, Resourcefulness, and Rapidity. For our purposes with regards to WannaCry, let’s focus on just two factors: Robustness and Redundancy.
Robustness is the ability of systems and elements to withstand disaster forces without significant degradation or loss of performance. The simple fix here is making sure all operating systems are updated, including any systems by vendors, home systems that may be used (or prevented from accessing corporate systems) and tertiary systems an organization relies on. More sophisticated solutions such as software defined perimeter would also have prevented the attack, by establishing a dark layer and credentialing process, restricting access.
Redundancy is the extent to which systems and elements or other units are substitutable or capable of satisfying functional requirements, if significant degradation or loss of functionality occur. Regular backups would remove the concern about having data encrypted or destroyed as users could just retrieve the same data from their backup.
So in short, what’s the best way to keep your personal and organizational data safe in the age of WannaCry? It may seem simple, but it’s the most basic cyber security advice for a reason: update and backup your files. Frequently.
Andrew Boyarsky and Douglas Graham are the academic director of the master’s program in enterprise risk management at the Mordecai D. and Monique C. Katz School of Graduate and Professional Studies at Yeshiva University and an advisory council member at the Katz School, respectively. The opinions expressed above are solely those of the authors and should not be attributed to Yeshiva University.