WannaCry Attack Is A Wake-Up Call for Cyber Preparedness

Experts agree that the WannaCry code was sloppy, making it easier to detect and stop than the newer, more sophisticated malware that is being seen in the industry. In addition, the sloppiness in the code facilitated the accidental discovery of a kill switch that dramatically slowed the spread of the ransomware. The code's disorder may also have reduced the number of victims who tried paying the ransom because there was wide speculation that the code did not contain the functionality to release the encrypted files after payment.

While disconcerting, compared to the possible damages that could have occurred, most were lucky — this time. Now, many are hyper-focused on what to do to avoid being a victim of the next attack. These efforts reinforce the fact that it is impossible to guarantee that a system is fully secure and highlights the idea that solid software, network and computer controls and maintenance would have protected most systems from falling victim to WannaCry.

Larger organizations devote extensive budgetary and personnel resources to cybersecurity efforts, but not everyone has the ability, or the need, to engage on that level. In the absence of a regulated industry, such as health care, that spells out the obligations for cybersecurity for those doing business in the industry, businesses should assess the data they maintain, determine its value and vulnerability and then select reasonable protections to secure the data.

Key elements of any data security protocol include:

• Consistent and timely patching strategies;
• Developing and maintaining proper security policies and procedures;
• Implementing regular off-site back-ups combined with a business continuity plan;
• Conducting personnel training;
• Developing and testing an incident response plan; and
• Obtaining cyber-insurance.

The development and implementation of all materials in each of these categories is expensive and time consuming, but for those not in the regulated fields that need cost effective data security, it is possible to exercise a reasonable standard of care without breaking the bank. The key in all aspects of this effort is to identify the most critical data and focus the efforts toward more protection for the more critical data.

Assess the Data

There are very few, if any, businesses that can safely say they are not targets for cyber-criminals, because at the very least, businesses have personnel records for their employees. Working with the assumption that all businesses have some data that is of value to a hacker, when conducting an initial security assessment businesses should consider the different types of data they store, including personnel data in human resource records, product specifications, business plans, health care records, manufacturing data, service plans and methodologies, customer contact information and preferences, customer payment information, research efforts and results, and any other data relevant to the business. Other considerations include the contractual obligations binding the organization, including its own privacy policies.

Not all of that data needs to be stored in impenetrable vaults requiring a dozen credentials for access, so the first step is to review all the different types of data the business retains and determine which is most important. Once the data is ranked according to risk levels, the attack methods likely to be used to target each category of data should be considered, and then the best methods for detecting and mitigating such attacks should be identified. There are many products and techniques available to detect, block and mitigate the attacks. Selection of the types of products and services are best discussed with a technical expert, but strong, up-to-date virus protection should be one of the components. These considerations shape the rest of the data security efforts.

Throughout the process of developing the security protocols, the reasonableness of the procedures should be considered along with the necessity of keeping the data secure without undermining its accessibility for business purposes.

Analyze the System

Knowing where each type of data is located within the company's system ensures that time is not wasted figuring out what data has been impacted when an incident occurs. These records of the system architecture are living documents that must be updated each time changes are made to the system. This documentation does not have to be highly technical, and the form of the records is not as important as properly documenting the nature of the data and its locations.

Because prompt responses are critical for limiting damages resulting from an incident, understanding where each type of data resides, which data was impacted by the incident, and which data is the highest priority to protect or recover, allows the response effort to be prioritized appropriately. This information can result in significant saving by limiting damages, but it costs very little to develop.

Vendors

Companies that have third parties manage parts of their computer and storage systems must have a listing of all such vendors with contact information (both during and after business hours), and that list should indicate what part of the system/data each vendor manages.

Today, vendor contracts, particularly software and system maintenance and support agreements, are often drafted to provide rules for what each party must do in the event of an incident. While there is often a perception that including this detail in the agreement may extend the contract negotiation process, taking the time to specify those rights and responsibilities can save significant time and expense in the event of an incident.

In addition, it is important to keep in mind that certain vendors may need expanded access to a system following an incident. Setting up the basic terms of an engagement for assistance responding to an incident, including confidentiality obligations, whether as part of the primary services agreement or as a separate agreement, is key to allowing the identification, containment and remediation efforts to move as quickly as possible in the event of an incident.

Update/Patch

The single action that would have best prevented businesses from being victims of WannaCry is patching software. Cyber-criminals and nation state actors regularly seek to exploit security weaknesses and/or bugs in software, and by not taking the time to patch software as patches become available, businesses leave the door open for the hackers to attack. If businesses maintain their systems internally, they should have standard procedures for evaluating all new patches, developing a business appropriate strategy for applying the patch, and a communication protocol to ensure the patching is properly completed.

For those using third parties to manage their software, it is important to ensure that software maintenance and service contracts include access to such updates or patches, specify who is responsible for applying the update, and stating a time frame for completion after a patch is released. While it can take a little time to coordinate everything necessary to implement a patch in a large or even mid-sized organization, it should be done as soon as possible, giving appropriate consideration to the balance between taking the time to implement the patch with the risks of waiting and leaving the door open for a cyber-intruder.

Plans and Procedures

Security plans and procedures should be implemented, but this is more about establishing a culture of security throughout the organization than it is about having hundreds of pages of policies and procedures. Balancing the cost of the efforts to develop these policies against the cost of not having the policies is critical in this category. In order to minimize costs of these efforts, once again, the focus must be on the most critical data and what steps must be taken and documented in order to protect that data. Businesses may, and should, choose to implement different protocols for different types of data, but it is also important to limit the different policies and procedures to a manageable level.

Rather than leaving the data at risk, the decision should be made to put security procedures in place. When deciding on such procedures, consideration should be given to segregation of data, access to information, remote access to information, required authentication, and physical access to the data.

Each company's policies and procedures should be at least somewhat different, depending on the nature of its operations and the types of data it maintains. Identifying pre-existing policies and procedures can be good starting points for this documentation, but it is of little value if they are not reviewed and customized for the organization's systems.

Regardless of the type(s) of data, once draft policies and procedures are developed, the organization should evaluate the interaction of those policies and procedures in conjunction with the existing business procedures. If the security procedures do not work with the business objectives or unreasonably limit access to the data, adjustments should be made.

To be effective, the security plans and procedures must become part of the organization's day-to-day operations, and all personnel must internalize the importance of complying with such procedures.

Incident Response Plans

All organizations can benefit from some type of incident response plan. This does not mean that every organization needs a 100-plus page document detailing every element of what will be done in the event of a data security incident, but it does mean that some basic documentation to guide the response to an incident is helpful. The most important objective is having everything that will be needed to respond to an incident in the same place and accessible when it is needed to all who need it.

Key items to include in the plan are:

• The list of team members responsible for responding to the incident and their responsibilities, including a hierarchy for decision-making so that time is not lost to arguments around these issues when in the midst of an attack;
• Contact information for the team, including back-up methods of communication that are not tied into the company's systems in case primary communications are compromised;
• Legal counsel and contact information;
• The cyberinsurance carrier and contact information;
• Documentation of the systems and what data is stored where; and
• A list of any vendors and their contact information for regular business hours and after hours.

While an incident response plan can certainly include a lot of additional information, if nothing else, having this basic information handy will help the organization stay on the right path and work together without issue in the event of an incident.

Depending on the size of the business, the incident response team may include: the information technology manager, chief information officer (CIO) or chief information security officer (CISO) (or all of them); legal counsel (internal and external); human resource manager; operations manager; communications personnel; forensic consultants; and anyone else appropriate for the particular business.

One or more of the team members should have responsibility for regularly updating and reporting to senior management and the Board of Directors, where one exists. It is helpful to talk to those individuals in advance and include in the plan a description of how and when those groups want to be notified.

For example, incidents may be divided into different levels based on how critical they are and senior management may only be notified if the incident rises to a certain level. There may also be a different level of criticality that triggers notification to the Board. These determinations are a balance between the need to inform management and the need to avoid over-communicating every time something might constitute an incident. Clearly defining what constitutes an incident also helps facilitate communications during a response.

An incident response plan with the items identified above is relatively easy to establish, and the smaller the organization, the less it usually costs to develop the plan to this point. For those investing more in an incident response plan, it is helpful to create (or find and customize) a checklist for documenting an incident and the steps that are taken by the team once an incident is identified. Combined with this tracking system, a checklist of items to investigate and assess during the identification and containment phases of the response can be very helpful. These items help ensure that necessary evidence is preserved even while efforts are underway to identify, contain and remediate the cause.

In general, a more basic incident response plan that is updated regularly and reviewed and practiced for understanding can be far more valuable than a lengthy document created once and placed on the shelf and not touched again until an incident. The quick actions of a response team can go a long way toward mitigating damages from an attack, and a well-rehearsed incident response plan expedites actions in the event of a breach and facilitates thoughtful, coordinated decision making both internally and with vendors.

Forensic Assistance

All businesses, even those with IT personnel on staff, should consider having a forensic consultant on retainer, or at least develop a relationship with such a consultant so that time is not lost negotiating an engagement after an incident has been detected. Forensic consultants should be considered even for organizations having in-house IT expertise, because forensic consultants have different skill sets than most in-house IT staff, and their special training in preserving evidence in the event of an incident can be the difference in whether the perpetrator can be identified and prosecuted. Not only do forensic consultants bring an additional skill set, they can focus on identifying, containing and remediating the malware while the organization's IT staff focuses on getting the business back up and running as soon as possible.

Many consultants in this field will set up retainer agreements with a zero or low dollar retainer that can be activated when there is an incident, so they are ready to step in and assist with just a phone call.

Once a consultant is selected, reviewing the company's plans, policies and checklists with the consultant in advance helps ensure that everyone works with the same set of objectives when responding to an incident. The consultant's contract should include specifics about what constitutes an incident for which the consultant is to be engaged, how the consultant is to be contacted in that event, and the time frame in which the consultant will respond. As with other items recommended here, putting this retainer agreement in place is a relatively low-cost effort that can be very valuable in the event of an incident.

Training

Because the very large majority of cyber-incidents involve some element of human error, it is critical to invest resources in training personnel to identify suspicious emails, websites, links or behaviors. There are vendors providing this type of training at all different price points, and the wide range of options makes it very easy to implement such training. If even the lower cost vendors are out of the price range or formal training does not make sense given the size of the organization, there are materials freely available online that can be used to train personnel.

Assigning one or more members of the organization to review such materials and provide an overview of recommendations during a scheduled meeting or circulate links to key materials is better than nothing. The chances of human error can be minimized but can never be eliminated, and therefore, training should be ongoing. From a cultural standpoint, all personnel should be encouraged to understand that there is a balance between ease of access to information, the usability of that information and securing it. The organization must make certain choices for the security of its information; however, personnel who understand the reasons for the security measures and the limitations placed on access to the data are more likely to comply with, and not circumvent, such measures and limitations.

Continuing Improvement Plans

As many businesses are doing in the wake of WannaCry, conducting a “lessons learned” session at the end of any incident is critical to ensure the business is better prepared for the next attack. The business should assess: what was well handled in the response; what could have been done better; what, if anything, completely failed; and how additional training, changes to the systems, updates to the incident response plans, or other actions can improve future responses. Once this analysis is completed, all plans and documentation should be updated as appropriate so the organization is ready for the next incident.

Why Do All of These Things Matter?

The cost of remediating a breach is much greater and much more detrimental to the health of a business than the cost of any of these measures, no matter how expensive they may seem at the time. Hundreds of thousands of dollars — and even more — can be spent investigating an incident and covering directly related costs, such as the cost of reporting a breach, but that is not the greatest risk to most businesses. When an incident of this nature is reported, consumers are likely to lose faith in the business and may take their business elsewhere. For most businesses, the loss of market share is significantly more important than the direct costs incurred from the breach.

WannaCry upped the public awareness of potential consequences from a ransomware or other cyber-attack targeting more than a single organization. Everyone must be cognizant of the risks and the fact that deciding not to do anything about cybersecurity is itself a decision to place one's business at greater risk. Simple steps can go a long way toward protecting an organization, and for most businesses those can be implemented and managed in a cost-effective manner that reflects the size of the business and the nature of the data.

It would be nice if we could confidently say that future cyber-attacks will be prevented or that measures are in place to ensure such attacks will not impact businesses, but WannaCry made it clear that all businesses and individuals (and all computing devices, including computers, servers, networks, mobile devices and computer enabled things) are at risk from the right attack. Accepting that fact and learning to work within the new risk profile is going to be part of business operations for the foreseeable future, but it is a risk that can be managed.

***** India E. Vincent leads the Cybersecurity Practice at Burr & Forman, where she is a partner in the firm's Birmingham, AL, office. She may be reached at 205-458-5284 or [email protected].