19 May, 2017
A major ransomware attack over the weekend is a warning to organisations that they face a "crippling impact" to their operations if they fail to take basic measures to protect the security of critical systems and data, an expert in cyber risk has said.
Thousands of organisations around the world, including NHS bodies in the UK, were locked out of systems and data as a result of the so-called 'WannaCry' attack which began on Friday and was still affecting some organisations on Monday.
The ransomware spread to systems that were running on out-of-date software that contained a vulnerability, despite the fact a security update for that software had been available since 14 March.
Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, "The WannaCry ransomware attack appears to have operated like a worm attack that was common in the early 2000s by searching for and spreading to systems that contained a particular security vulnerability. The attack does not appear to have been particularly sophisticated, and indeed the UK's National Cyber Security Centre has indicated that the most basic cybersecurity hygiene by organisations – keeping security patches up-to-date, running antivirus programs and backing up data – would have been sufficient to repel this attack."
Ransomware is a type of cyber attack that sees hackers install malicious software on to computer systems that prevent businesses carrying out everyday operations or accessing data or other assets. Businesses are prompted to make a payment to the hackers to decrypt data encrypted by the attack.
Birdsey said that the scale of the WannaCry attack shows that many organisations are not treating the cyber threats they face seriously enough. He said there is an opportunity for the UK, and other countries across the EU, to drive better practices when they come to implement the EU's Network and Information Security (NIS) Directive.
The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such "essential services" and to "digital service providers". EU countries have until 9 May 2018 to implement the Directive into national law.
Under the Directive, each EU country will be responsible for determining its own “effective, proportionate and dissuasive” penalties for infringement of the NIS rules. However, possible penalties could include fines, public naming of those in breach, and/or a requirement to rectify deficiencies identified with cybersecurity measures deployed.
"The cyber risk that organisations of all kinds are exposed to is real and growing," Birdsey said. "The risk is particularly pronounced in areas of infrastructure that are critical to everyday life, such as banking, health, energy and transport – all the sectors within the scope of the NIS Directive. Yet, as the WannaCry attack has demonstrated, many basic security failings are still common."
"Cyber risk has risen up the boardroom agenda in recent times, but it is clear that, despite a raft of new legislation, government guidance and industry warnings, many organisations are still operating systems vulnerable to attack," he said.
Birdsey said that the WannaCry attack should prompt organisations to review their cybersecurity practices including their readiness for cyber attack.
"Organisations of all types and sizes should check whether their anti-virus programs are operating effectively, whether they are up-to-date with their security patching for software and ensure they back-up data onto systems that are operationally distinct from the main systems they rely on to ensure that systems can be switched and operations restored quickly in the event a ransomware attack hitting," Birdsey said.
"In addition, organisations should put in place, and test, an incident response plan. Such a plan would enable them to efficiently manage any breach they experience with the help of third party experts, such as forensic IT investigators, PR agencies and legal advisors, in line with their legal and regulatory obligations and industry best-practice," he said.
For further information, please contact:
Ian Laing, Partner, Pinsent Masons
ian.laing@pinsentmasons.com