WannaCry: A threat or opportunity to build a more effective IT system?
Sheer luck seems to have spared Canada significant impact of the WannaCry cyberattack that disrupted IT services in countries as diverse as Russia, the UK, Spain and India. One reason, according to Ryerson University’s Atty Mashatan quoted in the National Post, is that there is relatively little email passing between those countries and Canada.
This particular attack was spread by email, through spam that appears to be from one of the recipient’s contacts. Clicking on a link in the email, apparently from a trusted source, unleashes the virus that seizes control of the computer, encrypts its contents and renders them inaccessible – and offering to undo the damage in exchange for payment.
Many organizations, who think themselves safe from data theft because ‘We’re too small to bother with,’ or ‘We don’t have any data worth stealing,’ may have received a new worldview on the importance of cyber security.
News reports indicate that Lakeridge Health, an Oshawa, Ontario, hospital, was threatened, but a spokesperson indicated that the hospital was able to deflect the attack.
Even if your company dodged the WannaCry bullet, it’s still important to understand that this is just the latest in a line of hacking and ransomware attacks, which are likely to continue. The next ransomware attack will almost certainly be different, in part because computer users are now more alert to attacks via email, but some computer security experts warn that it may already have been launched.
Is your organization next?
Who is vulnerable? It could be any organization, but the most common risk factor in such attacks is outdated computer software. That includes legacy systems no longer supported or updated by the supplier, such as Windows XP. Newer software is frequently updated and patches added to fix vulnerabilities as they come to light. However, organizations that have not updated the platforms they operate on, do not get such protection.
As regards the ‘we’re too small’ viewpoint – many mid-size and smaller organizations have been hit with cyberattacks, some of them being held to ransom. So, although it was large, well-known organizations that made WannaCry-related headlines, there have been many smaller entities hobbled by attacks.
And as for the ‘we don’t have any data worth stealing’ defense, ransomware is still a threat. Reports indicate that the WannaCry extortionists managed to squeeze out a relatively paltry $60,000 for their efforts, but many large organizations suffered loss of functionality as a result of the attack. This included cancellation of medical operations and appointments across the UK.
As well, any organization’s systems might contain a treasure trove of information – patients’ and employees’ medical records, customer credit card numbers, intellectual property such as product formulations, and legal documents that might be valuable to the other side in a legal dispute.
Another concern comes through potential vulnerabilities that are a side effect of the ‘Internet of Things’ (IoT) in which previously-independent devices such as cars, trucks and home-security system are connected – and vulnerable to being hacked. Consider pacemakers and insulin pumps, which can be remotely controlled, and therefore hacked.
So, protecting against ransomware, guarding the integrity of the organization’s data and being able to safely access the business possibilities from IoT, are three good reasons to take steps to protect your system against outside attacks.
The fourth reason has to do with gaining the benefits that come from an updated system. Many organizations are reluctant to update – built on legacy software years or even decades ago. The system works, at least most of the time, and employees know how to use it. The company may well take the approach, ‘If it’s not broken, don’t fix it.’
Upgrading these systems seems to get more costly with each new iteration of operating systems such as Windows, so the upgrade keeps being postponed. It could be that the company doesn’t have the in-house IT expertise to upgrade the software, and is reluctant to divert the time and money to do the changes.
That is, until customers start to ask hard questions about the integrity of their data, and how safe their vendors are against attacks. Some customers may decide to switch to a supplier that can show it has taken steps to protect against cyberattacks.
Looking on the bright side of (upgraded) life
In such situations we find it’s often helpful to look at both sides of the coin.
On one side we see ‘avoiding problems’ with effective systems which might include successfully fending off a cyberattack – sometimes without the organization even realizing it had happened. On the other side, we see the opportunities for more efficient operations, fewer frustrations, and happier employees that come from systems that have been upgraded and are running on current software tools.
One of the brightest aspects to upgraded systems comes in a renewed flow of information that can guide decisions. Many legacy systems are a ‘black box’ in that very little useful data is generated by them, and revising the code to produce better data is costly and troublesome.
Current systems are designed to produce detailed information on the profitability of individual customers and products, pointing out areas of inefficiency, suggesting improvements, and reducing the need to re-key data or compile reports each time they are needed.
Upgrades to systems may be best done by a combination of internal and external resources. The company’s own employees have an understanding of the production process and how the company works – and what kinds of data are needed for decision-making. External information and business professionals bring knowledge of how issues have been solved elsewhere, and knowledge about the capabilities of a wide range of information technology solutions.
Working together, internal and external resources can develop a system that is more likely to prevent or deal with the next wave of cyberattacks – and be more efficient as well.