The recent NotPetya ransomware attack (at first thought to be a variant of Petya, but later dubbed NotPetya and ExPetr), felt a little bit like reliving the WannaCry incident from May. While many articles focused on the details of the ransomware attack and pointing fingers as to what hasn’t been done to fend off ransomware attacks like NotPetya, not many talked about the challenges that security executives face when it comes to ransomware.
Let’s start with the fact that IT executives know that in order to get security right the fundamentals are necessary. Patching systems, regularly backing up data and having a business continuity plan in place are all required; but implementing them isn’t always as easy when a CIO is acting without the support of the entire organization. This highlights the first major challenge for organizations, giving security a priority.
Security continues to be seen as this added task instead of being part of the actual business process. It is hard for the CIO to communicate this need to the board and leadership because until breach strikes the bottom line of the business hasn’t been affected yet. Also, seeing as the board and executives are busy thinking about business growth in terms of revenue, security takes a back seat when it is an expense to the business and not money coming in (at least in appearance).
A second challenge is the fact that systems aren’t always under the control of IT, which makes regularly patching an issue. Also to keep in mind is the fact that before you patch an entire system the IT team needs to test against different system configurations, make sure there are no application conflicts, and verify that current functionality doesn’t get lost. This slows the entire patching process down, not to mention technology that costs millions of dollars like an MRI machine is expected to last for years, which makes needing regular maintenance a contradiction to some businesses.
These two challenges alone give a pretty good idea as to why there are many organizations that become victims to ransomware attacks like ExPetr and WannaCry. Additional problems lay in the effort organization’s put towards training all employees with regular real-world phishing tests, monthly business continuity plans and incident response scenarios; basically, making security part of conducting day to day business for everyone.
At the end of the day, the challenges are real, but not insurmountable. You don’t need to have a utopian IT infrastructure or sell security to the board, you just need to implement a holistic security approach and have the right support system with security experts you can trust if you are shorthanded within your organization.
When WannaCry struck, a majority of executives weren’t shocked seeing as they deal with similar attacks year-round; just the public doesn’t get ahold of the security story. However, there are still many organizations that could be taking their security up a notch and it’s outbreaks like WannaCry and ExPetr that grab their attention.
If you’re ready to assess your security posture and find out what next steps you can take to improve your overall posture and establish a holistic security approach for your business, give us a call.
Photo courtesy of Sergey Nivens