We have read multiple reports on WannaCry and if you are reading this and don’t know what WannaCry is, Google it for the background story. The clear message is this is not the last major attack we will see, and future attacks will only get more sophisticated. It is being estimated that the cost associated with responding to WannaCry will exceed $4 billion.
Here are our take-aways that may be a useful summary for our readers:
- The healthcare industry is particularly vulnerable to future attacks and should get prepared for them
- Make cybersecurity a risk management priority in the organization
- Implement patches as soon as they are pushed by product companies
- Share cyber intrusion information with authorities to stave off attacks and the spread of attacks
- Get that back-up plan up and running and TEST it
- You get what you pay for if you buy pirated software—which is a crime
- Pay attention to industry alerts as you receive them from the FBI and other governmental authorities
- Consider purchasing appropriate cyber liability insurance to cover losses associated with cyber attacks, data breaches, ransomware and business interruption, and use a broker who is familiar with appropriate coverage
- Check out the resources published by US-CERT and the Disaster Information Management Research Center on WannaCry
- Get involved in the debate of whether the government should share known cyber vulnerabilities with companies—the debate is around whether government intelligence services should balance the use of vulnerabilities in software for espionage and cyber warfare with sharing their findings with technology companies so they can secure the flaw.
If you don’t know how it happened, as it is a little “hush hush,” the WannaCry ransomware leveraged a hacking tool that was developed by the National Security Agency. The tool was leaked online in April and the hackers behind WannaCry used the leaked tool to launch the WannaCry ransomware campaign worldwide. According to Brad Smith, the CEO of Microsoft, “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.” He called this a wake-up call for governments to “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Microsoft had pushed a patch to the vulnerability several months ago, so companies who had executed the patch for the most part were not affected. Nonetheless, it shows how important it is to implement patches as soon as companies push them to protect network systems.
Many industries received alerts from the government. The healthcare industry received a series of very useful tools from HHS about WannaCry, and the FBI sent a private industry alert to law firms (example available here). All industries were affected, so following company recommendations and industry alerts continues to be important for awareness of attacks and vulnerabilities and to respond to them