When the news broke on Friday (12th May) that a large number of organisations, including the NHS here in the UK, had been subjected to a successful major cyber attack, my first thoughts were “that’s terrible” followed quickly by “…but actually surprising that it hasn’t happened sooner.”
The technical problems have been widely reported and over the weekend the majority of the issues have been put right.
This has largely been a triumph of these organisations’ ability to restore data and repair compromised systems. But it raises serious questions as to how this vulnerability emerged and how the outbreak could have been prevented.
Microsoft, as the vendor of the affected operating systems, has allowed a vulnerability to emerge in an old version of their primary file-sharing protocol. Large swathes of UK plc still relies on these operating systems. They are considered out-of-date according to Microsoft but many companies only have hardware that will run the older operating systems.
Microsoft issued a patch for the vulnerability back in March, around 2 months prior to the attack.
Microsoft isn’t responsible for upgrading company IT equipment, but it does raise the issue of how long it’s responsibilities towards security on older systems extend. There is no legally-tested statute of limitations on this, simply commercial imperatives.
Although this post is focussed on this outbreak, it should be noted that the hardware – software upgrade cycle applies to any company that contributes to either side of the equation. When Android-based malware reaches a similar level of maturity then we are potentially looking at a far greater potential impact.
Looking at the victims, I refuse to single out the NHS here, as the broader media has. That would be to ignore just how serious and widespread this attack really has been.
All affected organisations could have been, in theory, aware of the vulnerability. It has been somewhat lost in the story that the vast majority of companies and government agencies were NOT affected. The first thing this tells me is that there is a clear opportunity for organisations to work together to understand how their differing postures allowed or prevented the effects of the attack.
When reviewing this attack I would look to GOVERNANCE rather than solely technology for the answers to how the vulnerability could have been addressed.
For example, attacks like this have a tendency to require an invitation. Whether that is visiting a website, clicking on a link to download an attachment or plugging in an infected device via USB. How this attack started needs to be understood as much as how to respond to it in the future. People are very often the weak link. The best way to address this is communication and education, based on a clear, easy to understand set of policies that define what is required, why it is required, how it will be measured and what will happen in the event that they are not followed. This is a key component of governance.
Having clearly set organisational governance, with appropriate policies and an audit framework that measures and reports clearly how those governance objectives are being met is CRUCIAL when addressing this sort of issue.
Without a clearly set governance agenda, the ability to prioritise resourcing and IT response runs the risk of becoming (remaining) far more ad-hoc. Managing risk and encouraging a culture of risk management throughout all levels of the organisation is crucial. Using that culture to drive an appropriate response to cyber attacks like this and encouraging a management approach that thinks ‘cyber-resilience’ when making investments in IT services has never been more important. Clearly there isn’t an endless pot of money and ensuring it goes in the right places is obviously important. Balancing our response over both the preventive actions and our ability to recover is now essential as it is ‘when’ rather than ‘if’ we are successfully attacked.
While I don’t always agree with the way these events are reported, maybe the wide-scale coverage is what’s needed to kick start a new discussion on how we manage our ability to support business objectives rather than just how we control IT expenditure. Plenty of organisations are already there, but many more are just starting the journey.