The WannaCry Aftermath: How to Protect Your Business from Future Attacks

By Michael Lee| May 30, 2017

To a large extent, U.S. businesses went unscathed from the first version of WannaCry that paralyzed 40 U.K. hospitals and other organizations across 150 countries, but the implications of WannaCry still apply to everyone. Another ransomware attack like WannaCry will surely come again, and when it does, will your organization be prepared?

As a business, you know that every decision comes with a cost. What do you stand to lose by continuing to take a reactive stance against cybercrime? For many mid-size organizations, the cost can prove fatal. A National Cyber Security Alliance study shows 60 percent of small and mid-size businesses affected by a cyber-attack go out of business within six months, but even the lucky ones suffer consequences. Consider the many layers of financial setbacks a business would endure in the wake of such an unhappy event:

  • Productivity loss of your IT team dealing with the attack du jour
  • Opportunity cost of not being able to focus on business-enhancing IT projects
  • If infected, productivity loss of the affected users
  • If propagated, productivity loss of the business
  • If files or systems are damaged and there’s downtime, the cost of operational disruption
  • Cost of reputation with shareholders, customers, business partners, and employees

In the second installment of our three-part blog series, we want to share some additional tactical measures you should start taking to build a more proactive stance against future attacks. We shared the 9 immediate steps in part 1. Be sure to address those first.

Seven Tactical Steps to Combat Future Ransomware Attacks

  • Inbound email security – Consider using Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Least privilege – Users should not log on as admins to their machines. Period. The concept of least privilege is one of the most overlooked principles in information security. The most common reason that organizations do not adopt this principle is because it’s much easier to give the users whatever access (usually admin level) they say they need/want. Keep in mind that when a machine is infected via the logged-on user, the malware will immediately possess the privileges of that user.
  • Network file share access control – In most environments that we assess, access control to file shares are almost always too lax. Similar to the principle of least privilege, organizations do this because it’s the easy thing to do. To build a resilient network, you need to consider the least amount of access a user requires to get their work done. If a user does not require write access to a share or directory, they should only have read access. The more writable shares you have on your network by multiple users, the larger your surface area of attack will be.
  • Social engineering assessment and education – Beyond simply reminding your users to not click on a suspicious link, you should regularly test your users for susceptibility to social engineering attacks including phishing and use the results of such assessment to provide security awareness training.
  • Backup and recovery – Review your backup and recovery strategy to make sure they meet your business’ needs for recovery objectives. You must test recovery of your backups on a regular basis. When we receive a call from a customer who is in panic mode after a breach, one of the first things we look at is whether they have good backups they can restore. In many of those cases, unfortunately, organizations don’t have the backups to restore the damaged data. If you are not regularly testing your backups, don’t expect them to save you when you need them.
  • Beyond signature-based protection – Due to the sheer volume and variations of malware, relying solely on signature-based antivirus, intrusion prevention systems, and content filtering solutions will not provide sufficient protection. As part of your security architecture, employ solutions that are able to prevent threats based on behavioral analysis, anomaly detection and sandboxing technologies.
  • Security assessment – Have your environment tested on a regular basis to create an ongoing feedback loop toward continuous improvement of your controls. Our recommendation is monthly or quarterly vulnerability assessment and a full security assessment on a yearly basis. The full security assessment should include, at a minimum, vulnerability assessment, penetration testing, security architecture review, and password strength audit.

So far, we have discussed what immediate action you should take to protect your organization from the WannaCry attack, as well as what other tactical action you should consider in the future. In part 3 of this series, we will discuss business and program level considerations to make security a part of enabling your business.

To learn more about how to build a more proactive defense against cyber-attacks, and why outsourcing security to a Managed Services provider can help your organization build resilience to multiplying threats, connect with us to discuss the best cyber security defense for your business.

Teams security and compliance demo