If even the National Security Administration (N.S.A.) can have its secrets stolen and exploited, what about private companies that have profit (not data security and intelligence) as their prime directive? According to the New York Times, cybercriminals turned stolen N.S.A. hacking tools into malicious software (malware) called “WannaCry.” On May 12, 2017, WannaCry began to wreak havoc on hospitals and rail services in over 150 countries.
Stanford University professor Amy B. Zegart, who studies intelligence agencies, told the New York Times that “for half a century, N.S.A. pried into other people’s secrets. Now they’re suddenly sitting ducks who have their secrets stolen and used around the world.” Microsoft President and Chief Legal Officer Brad Smith concurred when he spoke to NPR, likening the N.S.A.’s failure to “the U.S. military having some of its Tomahawk missiles stolen.”
The reputational and practical harms to the N.S.A. from this and other recent data breaches are immeasurable, as are the damages by all ongoing data security snafus worldwide. The N.S.A. will likely be cleaning up the mess and shoring up vulnerabilities for some time to come. Are there lessons for private employers in this stranger-than-fiction real story of international cyber-intrigue? Yes — the lessons apply to companies everywhere, and to employees at all levels of every organization.
Cybersecurity Awareness for Every Worker
The NPR article concludes with the following edited advice from No More Ransom, a law enforcement/cybersecurity company partnership:
- Back up your computer and store the safety version in the cloud or on a drive that is not connected to your computer.
- Use robust antivirus software.
- Keep all the software on your computer up-to-date. Enable automatic updates.
- Never open attachments in emails from someone you don’t know. And remember that any account can be compromised.
- Enable the “Show file extensions” option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like “.exe,” “.vbs” and “.scr.”
- If you find a problem, disconnect your machine immediately from the Internet or other network connections (such as home Wi-Fi).
On the flip side of these best practices, bad employee habits could facilitate the spread of infections, rather than nip them in the bud as recommended. WannaCry spread via email, to infect computers with software that no one had updated or that used older, unsupported systems.
In fact, many employers don’t emphasize data security until it’s too late. Verizon recently reported that phishing (using fake emails to bait victims) occurred in 90% of all attacks that exploited human social interactions. Clicking on an attachment or link in a phishing email can install ransomware, a kind of malware that typically encrypts data in order to deny users access unless they pay a ransom. This is how WannaCry did its dirty work.
The WannaCry cyberattack highlights the importance of reining in employee cyber behavior. Insider negligence is the leading cause of data loss or theft, and unauthorized data sharing can undermine your best efforts at data security — even if employees are otherwise trained in cybersafety protocols. Training in cybersecurity awareness is extremely important — but no training can stand alone. Employers need to also shore up cybersecurity policy, balance security with productivity needs, and bolster their security infrastructure to secure data in whatever form it takes and wherever it’s stored and used.
Cybersecurity Awareness for Every Leader
Computer Weekly observes:
The global WannaCry ransomware attack has highlighted that cyberattacks are not the responsibility of the chief information security officer (Ciso) but of the organization and its leaders, who must actively gauge their IT dependence and invest in the risk treatment options that best match their business.
. . . .
The indiscriminate nature of the WannaCry attack demonstrates that every individual can be a target whatever their sector or organization. Well-publicised breaches of shopping, email, and other providers have given criminals easy access to current email addresses, often the gateway for attacks, including WannaCry.
The article concludes with cybersecurity tips for execs, which I summarize below:
- Look at and communicate information risk from customer service, public relations, reputation, and other business perspectives — not just as a technical or financial issue
- Establish an ongoing dialogue and information-sharing between business leaders, IT, and information security, and don’t rely on technology alone to solve every problem
- Integrate security into the design and development process of your organization — data security shouldn’t be an afterthought
Execs do need to pay close attention, and not leave thwarting security threats entirely to IT, especially when leadership is part of the problem. According to a recent study, CEOs and business decision-makers are some of the biggest users of so-called “Shadow IT” — personal communication and content sharing of work information that company IT departments don’t know about or authorize. The study goes on to show that up to 60% of corporate data is stored on laptops and desktops instead of a centralized server or data center. Although Shadow IT extends beyond the C-Suite, leaders need to set the right tone at the top when it comes to data security. IT’s job of preventing and responding to data breaches is made harder when IT doesn’t know where all the company’s data is stored or how it’s being used.
Cybersecurity Awareness of Every “Thing”
Leaders need to understand and help arm their organizations against risks to more than just desktops, laptops, smartphones, and the like. In an op-ed in the Washington Post, security technologist and author Bruce Schneier warns that the Internet of Things (IoT) — comprising digitized and connected household items, medical devices, cars, etc. — is also vulnerable to WannaCry and similar malware:
It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.
Schneier’s scenario is neither far-fetched nor wholly hypothetical. In October of 2016, a targeted cyberattack took down millions of connected devices, including surveillance cameras, webcams, and smart thermostats.
Cybersecurity Awareness Can’t Wait
From understanding how data is stored in authorized sources and Shadow IT to potential IoT vulnerabilities, leaders have a lot of data security to keep up with. Fortunately, they don’t have to do it alone. While IT does not have all the answers, management and IT professionals can benefit by talking and (especially) listening to one another. And leaders need to lead by example, such as by helping IT account for their own Shadow IT usage (to send a message that every worker should do the same), providing guidelines to balance productivity goals with data security, and building security into systems, policies, and procedures so that security is not done ad hoc (a sure recipe for missing risks and vulnerabilities). Finally, everyone at every level of the organization needs training to raise cybersecurity awareness, and to change any unsafe practices immediately. Cybercriminals won’t wait.