The Petya ransomware attack – the second major global cyberattack in two months – left a trail of locked computers and compromised networks in some 65 countries around the world.
Like the WannaCry attack in May, Petya this week exposed weaknesses in cybersecurity defenses. It also reinforces the notion that it’s a case of when, not if, your organisation will become the target of an attack. But the high likelihood that an attack is coming doesn’t necessarily mean that dire consequences are inevitable.
“There is no 100-percent foolproof strategy for blocking cyberattacks, short of swearing off computers, email and the Internet,” said Randy Gross, CIO of CompTIA, a non-profit association for the technology industry. “But there are steps that can and should be taken to heighten defenses, starting with making sure that all systems are up to date.”
“Installing vendor patches in a timely manner and having an update plan in place for all client machines is a good start,” advised Robert Rohrman, CompTIA’s senior director of information services infrastructure.
Far too many computers still run outdated operating systems like Windows XP and Server 2003 and simply do not have the proper security protocols in place to prevent ransomware attacks, according to Rohrman. Even devices with newer operating systems can be vulnerable if security patches and software updates are delayed or ignored.
“A globally managed update system for clients and server/hosted resources is the best way to gain visualisation into an enterprise,” Rohrman said. He suggested IT managers have a system or program in place that provides a global view of the in-house systems and security situation so patches and fixes can be installed on multiple computers from one console.
But patching isn’t the only action you can take to defend against ransomware. The regular backup of data, stored off the primary computer, is another critical task.
“You can depend on your own backup more than a vendor patch because you have control over the backup,” explained James Stanger, CompTIA’s senior director for product development.
“Vendors can’t always get you the latest patch in time, which means that your systems could still be susceptible to zero-day attacks,” he continued. “Your system may have all of the updates the vendor has given, but an exploitable problem still exists.”
Stanger added that when you know your data is backed up, you’re less likely to feel pressured to pay a ransom because you already have what the cybercriminal is holding hostage.
Finally, it’s critical for everyone in the organisation – from the receptionist at the front desk to the IT technician in the back office, and from the CEO in the corner office to the account manager on the road – to learn and use good cybersecurity hygiene. Anyone who touches a PC, laptop, smartphone or tablet is a potential target of ransomware or other cyber threats, but threats can be lessened and security awareness heightened through regular education and training.
“Companies consistently repot that human error is the primary cause of security breaches,” said Seth Robinson, senior director, technology analysis, CompTIA. “People don’t know, or are ignoring some of the basic security practices. The encouraging news is that we’re seeing a growing realisation among companies that their workforce needs to be educated about technology in general, and about security, specifically.”
The types of training offered run the gamut, according to the recent CompTIA report “The Evolution of Security Skills.” In the survey of 350 U.S. businesses, about half said they perform employee security training on an ongoing basis. Also:
- 58 percent include security instruction as part of their new employee orientation
- 46 percent conduct random security audits
- 35 percent use “live fire” hands-on labs
“In a rapidly changing environment, simple one-time efforts such as new employee orientation or posting security policies for review will have low efficacy,” Robinson said. “Organisations are starting to understand that security training is needed for all jobs and that some oversight is needed to develop a security-aware culture.”
“Too often security is perceived as an inconvenience by users,” said Rohrman. “Many people talk a great game in security, but when it comes to taking the additional safeguards that security requires, many users will resist and opt for the easy, convenient way without regard to the potential consequences.”
The cost of a single data breach is estimated at $3.62 million, according to the Ponemon Institute’s “2016 Cost of Data Breach.” Ransomware attacks – which cost companies an estimated $1 billion in 2016 – could approach $5 billion this year, market researcher Cybersecurity Ventures reports.
The clear answer for organisations is to create, implement and enforce robust security practices and policies; and to explain and train those policies to their employees to ensure maximum buy-in and compliance.