By now, everyone will be aware of the ransomware cyber-attack that started early on Friday and impacted IT systems in over 150 countries, including those of many NHS trusts. Many organisations were dealing with the fall-out of this attack over the weekend.
Ransomware is a form of malware that encrypts its victims’ data and then demands a payment to unencrypt. The form of ransomware being used in the current attack is known as WannaCry, developed using a weakness in Microsoft Windows operating systems, which was previously known and exploited by the National Security Agency (NSA). However, in April, a Russian hacker group obtained details of this weakness from the NSA and made it widely available.
Here’s the rub – Microsoft identified this weakness in March and issued a software update (or patch) to address it. The organisations particularly vulnerable to WannaCry are therefore those which run on Windows operating systems that have not been patched since March. Organisations running on Windows XP are particularly vulnerable as this is an operating system Microsoft no longer supports and so does not issue patches for.
So, what can businesses do? The National Cyber Security Centre (NCSC) has recommended that organisations download the latest Microsoft patches immediately – especially MS17-010, which was released in March and addresses the specific vulnerability that WannaCry exploits (note that Microsoft has now released a patch for organisations that still use Windows XP).
Further to this, all data should be backed up and stored on an offline hard drive, and antivirus software should be up to date, or installed, to reduce the risk of infection.
In the case of the recent ransomware attack, the NCSC guidance demonstrates that many organisations have had to make decisions around the prioritisation of system upgrades and patching, investment in antivirus, or the backing-up of data which left them exposed to potential cyber-attack.
In our experience, these decisions are often not taken at a level within the organisation that allows senior leadership to be aware of their implications. As a result, the associated risks are not fully understood and discussed outside the IT and security functions.
Those at senior leadership level cannot expect to be individually or collectively sighted on the day-to-day decision making of the IT or security functions. It is therefore critical that, in addition to addressing the immediate recommendations of the NCSC, processes and governance around cyber security are reviewed and, where necessary, strengthened across your organisation.
• READ MORE: Cyber attacks becoming when not if for businesses
In order to reduce the level of cyber risks, senior leaders should work with their IT team and any external providers to ensure all critical assets and services that must be protected from cyber-attack have been clearly identified, and that mitigation is thoroughly communicated and tested. Furthermore, business leaders should consider whether the senior leadership team, or the board, has the right mix of skills and competencies in order to successfully address the above areas.
A lack of understanding can make cyber security and the likes of ransomware seem like an unlikely risk and an intimidating area to tackle. However, recent events have shown us all how decisions taken at one level of an organisation to save money can quickly have serious impacts across the whole organisation.
Enabling the right choices to defend your organisation from cyber-attack requires proactive IT management capable of speaking the language of the business and strong and engaged senior leadership.
• Fraser Nicol is a partner at business adviser and accountant Scott-Moncrieff