Despite the global impact of the WanaCrypt0r ransomware attack experts don't expect it will be the industry wakeup call needed to take security more seriously, but there may be hope.
The reason an attack that crippled the UK's National Health Service and hit several large corporations and hundreds of thousands of computers may still not be enough to make a difference is it didn't make a big enough dent in any single business or personal fortune to greatly influence a behavioral change, Evident.io Chief Executive Officer Tim Prendergast told SC Media.
“While security is becoming a board-level discussion item, it has yet to be made a top priority,” Prendergast said. “Recent ransomware attacks certainly have gotten people's attention, but if you reviewed 100 enterprise organizations across the globe, I'd bet that 100 percent of them still have at least one server in their network that is vulnerable; and most likely, the risk cost analysis is low enough that the vulnerabilities won't be fixed.”
The lack of financial incentive and political pressure also creates little motivation for companies and their security teams to improve cybersecurity.
“People will keep doing the same, systems will remain just as fragmented, and hackers will continue to be one step ahead of IT,” Vera Chief Executive Officer and Co-founder Ajay Arora told SC Media. “Governments and companies will keep shooting themselves in the foot by under-budgeting, under-staffing and allowing arcane rules and regulations stand in the way of progress.”
Arora added that those who were affected will change their behavior and that while a few companies that weren't affected will remain vigilant, the rest will continue to learn the hard way and that there needs to be a fundamentally different way of thinking and broad-base action to address the issue.
Experts agree, complacency is the easiest vulnerability for attackers to exploit and many companies are very complacent in how they secure their technology, Gigamon Global Security Strategist Kevin Magee told SC Media. In order for there to be any change, there needs to be more involvement from the c-suite.
“We need to elevate the Cybersecurity discussion from the server room to the boardroom,” Magee said. “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue and set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.”
Furthermore, he said management should look at cyberthreats like WanaCryp0r and ask the hard questions, such as: Are we investing appropriately in protecting our network, computing devices, internet-connected devices and data relevant to their value and critical to the operation of our organization? How do we evaluate and measure the results of our decisions? To what degree has our level of concern about cyber security risk increased/decreased over the past year? Is our prioritization and level of engagement on the topic of cyber security consistent with our perceived level of overall risk to the organization?
A lack of ground-level motivation coupled with the of c-suite complacency can lead to a bleak cybersecurity future, High-Tech Bridge Chief Executive Officer Ilia Kolochenko told SC Media.
“Negligent IT personnel don't have a clear incentive to change anything, as it will hardly improve their own lives, salaries or even comfort at work,” Kolochenko said. “Once several IT contractors will be held liable for negligence and breach of duty [for failure to install security patches for two months] – we will start seeing vigorous improvements.”
Some researchers say it's still unclear what greater impact attacks like WanaCrypt0r will have since ransomware itself has been a mainstream problem for some time now, STEALTHbits Technologies Chief Technology Officer Jonathan Sander told SC Media. He added that companies have always taken attacks seriously, but have not stayed interested in security long enough after the attacks to fix the problems that made them attack victims.
“Maybe the publicity on this WannaCry incident will push people over the edge to where they start asking why this can happen,” Sander said. “But until organizations start thinking prevention and not response, they will keep shedding tears over WannaCry and every new cutely named attack that comes along.”
Sander's colleague Mark Wilson, director of partner enablement, EMEA, STEALTHbits Technologies agreed, adding there is no shortage of high profile cases like this.
“There can be no excuse for any organization running Windows XP or not applying security updates to other Windows Operating Systems,” Wilson said. “Even a fully up to date system is not exempt from an attack, but at least the risk is mitigated.”
Wilson said it will be interesting to see how this also impacts the hot topic of EU GDPR compliance, adding that it raises the questions: Are organizations finally going to listen to security specialists and take action to secure their data? Will they take action based on the fear of losing data? Will it be the fear of losing lives (in the medical arena)? Will it be the potential for astronomical fines?
Despite the concerns, there is little question that the impact of the attack has had at least a short-term impact, leading some researchers to believe there is hope for change.
“Banks, governments, Interpol, Europol, and tech giants alike are scrambling to react to this one,” Tetrad Digital Integrity (TDI) Chief Executive Officer Paul Innella told SC Media. “ATMs in China and India down, Russian infrastructure hit, Renault halted, NHS slammed, FedEx attacked - believe me the world is now awake to its fragility and susceptibility to ransomware.”
Innella added that we can be rest assured that the attack isn't over and that Microsoft's President declared this a renewed call to action and pushed again for a Digital Geneva Convention.
“I believe this is not just a wake-up call for ransomware's becoming prolific but it also screams volumes about the need to bring to the fore the much-muted discussion of governments' stock-piling exploits and vulnerability information,” Innella said. “The two most powerful actors in this cyber-war are nation-states and criminal institutions and what we have with this latest attack is the former arming the latter at the world's expense.”
Experts agreed that the extent of this attack with it impacting so many countries, companies, individuals, and, in particular, critical care providers such as hospital systems, may in fact be the attack that firmly plants “ransomware” into the mainstream and public discourse.
“However without better, earlier, and more regular security education across all aspects of our society, these attacks may continue to grow and expand,” AvePoint Chief Compliance and Risk Officer Dana Simberkoff told SC Media. “There has been swift response across most companies in terms of not only taking action to ensure that their own systems and employees' systems are appropriately protected, but also to reach out to their vendor ecosystem to ensure that their chain of suppliers' systems are also protected.”