On Friday, May 12, a ransomware attack called WannaCry hit computers in Europe, followed by Asia and more than 150 other countries including the U.S. By Monday, the cyberattack had hit more than 300,000 computers, first locking them and then demanding a $300 payment to restore their files. While the identity of the individual or group who deployed the software (WannaCrypt) is yet unknown, it didn’t take long for copycats to pop up. That’s partly because the WannaCrypt ‘exploits’ were taken from the National Security Agency, which had reported the theft in April. About the same time, Microsoft released a patch to protect against the vulnerability. The problem was, few people took advantage of it.
It’s possible that your bank was affected by the malware hit. Though the U.S. has been less impacted than many other countries, the dust has yet to settle, and no person or organization is immune. “Not only individuals, but even governments and big companies with so much to lose fail to secure their systems and train their employees about necessary security practices,” said Marty P. Kamden, a marketing executive for the private network service provider NordVPN. “Cautious online behavior would probably have prevented the malware from infecting the network in the first place.”
It’s quite likely that people across impacted organizations are having similar conversations that include the phrase, “I’m just not tech-savvy.” That’s no longer a valid excuse. If you’re doing business of any kind—but especially business that involves private financial data—your organization has a responsibility to understand the threats you face and to do what needs to be done to protect yourself and your clients against them.
And if you are in charge of budgeting, decision-making, or approval process of technology in your organization, you have no choice.
As an individual and as part of a team for your organization, you must educate yourself enough to be a part of the solution. That doesn’t mean you have to understand every technical detail of malware development or vulnerability exploitation. It does mean you need to understand the impact a cyberattack could have on your organization.
There are two things in particular that you can do to be a part of the solution for your institution and clients.
Partner with an expert cybersecurity firm.
It’s not uncommon to hear that individuals in IT departments “wear many hats.” Building and maintaining security for your organization takes aptitude, time, focus, and resources. If your internal team lacks any of these, consider investing in partnership with a cybersecurity firm. One caveat—keep in mind that you get what you pay for. Don’t settle for the team that is selling, configuring, or implementing your hardware. Enlist a specialist.
Make sure your team has the proper tools and processes.
If your network administrators and technicians are driven by a demand to meet tight deadlines to deploy the latest and greatest platform that’s going to drive revenue, enhance client interaction, and make the systems faster, they may not have the time nor the wherewithal to focus on the stability and security of the systems. Recognize that systems evolve and it’s common for new cyberattack exploits to emerge after systems are implemented. This combination results in system vulnerabilities.
Think about it like this: let’s say you build a platform with nails and wood. You test the integrity of the structure by jumping up and down on it to see how much pressure it can withstand. Hacking involves using systems and software code in unintended ways. The equivalent of “jumping up and down” on a technology system to test its integrity requires advanced understanding of how attackers leverage software bugs and misconfigurations to their advantage. Some organizations have teams or consultants with the skill sets to “jump up and down” (test) a platform. But many lack the expertise and resources to test their platform for unintended and malicious uses, leaving it vulnerable, even if it has been tested.
Executives and IT departments need to have all the cards on the table when dealing with cybersecurity. As a leader, it’s your responsibility to have the proper coverage in place to protect your organization and your clients.
If you are serious about understanding the weaknesses that exist beneath obvious attack points (and you should be), the best thing you can do is to educate yourself. Partner with an expert specialized in testing systems with the mindset of a real, well-funded malicious attacker. These experts have the vision, understanding, time, and resources to supplement the work your IT department is doing already, and can keep you protected from otherwise perplexing threats in a rapidly changing attack landscape.
Join us for a special Q&A session this Friday at 10 AM CT to hear from our team on the recent WannaCry Ransomware attack, but more importantly an opportunity for you to ask any and all questions you have related to WannaCry, ransomware, and ways to protect your organization going forward.
Join the conversation and receive updates of new posts:
 Here’s How to Protect Yourself From Ransomware Attacks, New York Times Online, May 15, 2017