The recent Wannacry outbreak has taught a lot of IT professionals some valuable lessons about security such as not using unsupported operating systems, installing security patches, updating your anti-virus and my personal favourite... removing unauthorised software.
Infrastructure managers everywhere are scrambling to plug any holes in their systems to reduce the risk of an attack, which is great news for those organisations that were not affected by this outbreak, but not so much for others.
Now, of course, the bigger problem is that this was not just a one time thing. The worm that delivered the virus is part of the NSA toolkit that was leaked on the internet and it contained a lot more. There is also software that targets everything from windows exploits to cisco firewalls and VPN gateways.
This means there is a whole host of highly classified weaponised malware out there which is now in the hands of everyone from script kiddies to hardened criminals to hostile governments.
So our new reality is that we have to accept that it is a matter of 'when' and not 'if' it is going to happen again.
What do we do now?
Technology can go so far to helping us but at the moment, it is mostly reactive as we rely on the fact that it takes time to build tools to exploit any vulnerabilities, unless somebody happens to dump a whole load of tools into the wild all at once.To counter these new and emerging threats, we need to change our security culture from reactive to proactive.
So in addition to the technological solutions, we need to have organisational controls such as policies and processes to govern how we manage our IT security. This ensures that we find the vulnerabilities before they become a risk. And when(not if) something happens, we need to ensure that we learn from it to prevent it from happening again, or at least reduce the impact or likelihood.
People are still the biggest threat with over 90% of security incidents caused by human error. So we need to invest in training people, not just IT staff but the end users as well, in what they need to do to help prevent cyberattacks. They also need to know what to do when an attack happens. It may seem like common sense but we should never assume that everyone knows what to do.