Roughly 30 minutes after the Guardian broke the news of the WannaCry ransomware attack I received an unsolicited email from a sales rep trying to leverage the Wannacry attack to sell their software protection product. Now I’m used to some very slippery tactics, but even this is especially low. The rep even bragged about how they had several NHS clients and were working closely with them to assist in remediation. I don't think I'd be comfortable having a vendor use an attack on the company I work for to sell software to others.

This particular threat has been around for quite a while, and the impact and probability of its risk has already been assessed in most organizations, yet there it is, propagating across multiple networks and companies (supplier to client, client to supplier) here and now.

Put a security risk assessment at the top of your to-do list

Some salespeople (just like the rep that contacted me) would have you believe that their new AI-enhanced, multiplatform, anti-malware, cloud managed, active interception, kill chained, next generation, and various other business bingo term products protect your company from future attacks. No one single thing or even suite of software can adequately protect you from all types of threat.

What truly mitigates against this category of risk is:

  • a true understanding of the impact of these threats (how much damage they could do to your business)

  • the probability of this happening. If it has happened before and nothing has changed then it will most likely happen again

  • active threat detection (how would you know it has happened)

  • properly maintaining software effectively, so it is both patched and just as importantly that it is retired when beyond its warranty

Essentially, what we’re talking about here is a security risk assessment.

Now is a great time to step back from the ransomware discussion and look at what it is you are trying to protect, the value it has in the organization, and then align that with a business objective. Don’t just patch Windows/software, or buy threat detection software, instead look at the processes and policies currently in place that may allow that vulnerability to be exploited, or a threat to be more impactful than it should.

The cheapest of all, of course, is reviewing how effective your awareness training is. How mature and effective are your Disaster Recovery or Business Continuity plans should a threat be partially or wholly successful? Will your backups work? The simple rule being that if you have never tested them then you should assume they are defective. Start by changing the way your colleagues work in small incremental ways to improve your security position. Look at cloud provider's solutions in a more holistic way to see if you can transfer some of this risk to them as this may be their 'bread and butter', and they will probably do it more effectively, cheaper, and faster than you.

Align your security strategy with the goals of your business

Finally, don’t just band-aid the problem, instead take some time and step back and look at the dependencies and causes for this threat to emerge. Put the budget, people resources, and attention into plugging the vulnerability. Your return on investment will be greater than the ‘quick fix’ software with which you ‘plug’ the current problem.

Bruce Schneier’s Blog post from 2008 still holds up well today. “A company should implement only security countermeasures that affect its bottom line positively.
In other words, don’t implement a solution for a problem which doesn’t really impact your organization. More importantly, don’t ignore the very real threats to your organization’s bottom line and the implementation of effective countermeasures to mitigate them.

If you do not carry out an accurate risk assessment, then you are putting your organization’s security in fate’s hands.


Request a Demo

© 2006 - 2019. All Rights Reserved.