DRI’s Al Berman talks about the threat and what business continuity professionals should do about it
WannaCry is an interesting thing. We’ve all been worrying about cyber-attack points and cyber terrorism, but we haven’t talked about cybercrime. Cybercrime is a business. It’s a huge business.
We forget that cybercrime is a trillion-dollar industry to the best of anybody’s knowledge, though it’s hard to tell because people don’t talk about it. It’s become this incredible source of revenue, whether it’s being perpetrated by individuals or organized crime entities. This has become a relatively easy way for dishonest people to get a lot of money with very low risk. The chances of being caught are small, the sources of the attacks are ubiquitous, nobody knows where it’s coming from or who it is, and it attacks victims large and small. So now, we’re starting to look at the broader economic implications of cybercrime.
WannaCry is happening on a massive scale all at once, which makes it different, but it was executed the usual way – phishing, people opening emails they shouldn’t be opening, and organizations still allowing employees to do so with minimal oversight and caution.
Educate Employees Now
So, what should business continuity professionals be doing? First, raise awareness. We don’t educate employees enough. Most people now know, at the very least, to not give out their personal information such as social security numbers, but they haven’t been told not to click on pictures and graphics and they haven’t been taught how to recognize potential threats.
I’ll give you an example: I got an email from an FBI agent, and before I opened it and clicked on the attachment, I looked at the IP address to be sure it actually came out of Quantico. People should understand how to look at the headers of emails they receive before they automatically open them since most hackers are not concealing IP addresses. Yes, you can hide it and yes, you can spoof it, but in most cases, that’s not being done. And even when they spoof it, they tend not to do it from the local address.
In failing to educate employees, we open the door. These criminals are not hacking servers, they’re hacking emails. We need to educate people.
Enact Organizational Change
There needs to be awareness. There also needs to be a notification process when something happens. There should be someone responsible for investigating and reporting potential malware incidents in a timely manner. In the event of a fire, employees are instructed to know who to call, but when there’s malware, those instructions don’t necessarily exist. I think that’s true in most organizations, and that’s going to require organizations to make changes in their organizational structure in order to be able to respond effectively.
This isn’t a technical issue, it’s an administrative issue. The interesting thing is that I’m not even sure who’s vested with this responsibility in any given organization. If you went to someone in your organization and said, “I have suspicion of malware what should I do,” you would most likely be told to call tech services. However, there’s a problem with that. Tech services help desks probably do not specialize in this. You need a team on the other end of that call to be able to analyze the malware threat and stop it before it becomes something massive.
Block and Upgrade
I truly believe organizations should block Facebook, Google, etc. and especially social media. It’s so much easier to easier to get someone to go to their Facebook account and click on a great picture. Why not remove that avenue?
We need to enforce stronger restrictions on what people can access as employees. We should also make sure people who are receiving email attachments understand they are from trusted sources before opening anything.
Another important need is the need for organizations to upgrade their operating system to the most current version. Companies like Microsoft apply fixes to the most current versions of the operating system, leaving older versions with much greater vulnerabilities as these versions do not get the same updates.
Take this Opportunity
On the positive side, WannaCry is a great opportunity for business continuity professionals to raise awareness. We talk about every other kind of incident. We tell people about fires and floods and hurricane season, but something like this, something that happens all the time with a much greater potential impact on the business, we don’t seem to educate in the same way.
This is a great opportunity to talk about this in your organization. Now, while it’s hot. Companies are always going to be reactive. And while it’s almost impossible for us to know what the next source of the attack is going to be or what it’s going to look like, we can take immediate steps to be better prepared when it does happen.
Learn how DRI training can help your organization increase its preparedness at drii.org.