You’re probably sick of the ‘W’ word being blasted over tech media and marketing spam by now. Nonetheless, WannaCry marked such an important point in information security history that it’s worth revisiting.
Counting the cost
The first-hand impact experienced by everyday citizens is what thrust the cyber security headline into the news spotlight during May 2017. Over 19,000 appointments across 603 NHS organisations were cancelled, Renault factories ground to a halt, Deutsche Bahn ran out of steam; the list is exhaustive. WannaCry was ruthless in its pandemic nature — punishing vulnerable systems exposed to the internet, neglected by businesses and governments worldwide. Cyber risk modelling firm, Cyence, speculates the loss incurred from WannaCry to be in excess of $4bn, whereas Lloyd’s stated losses could be as high as $121bn — that’s over eight times more than the damage costs Haiti suffered from the earthquake in 2010. Regardless of how these risk organisations came to these astronomical figures, presenting them to any risk management board should be enough to guarantee a little bit more budget for your security shopping list.
This new real-world example of the risks and repercussions of an ineffective approach to information security sparked a new wave of outcry from IT program managers who in some cases were finally being listened to. NHS Digital lead the charge by pledging to “reprioritise £21 million in capital funding from existing IT budgets to improve cyber-security in major trauma centres”. Gartner, leading global research and advisory, forecasts worldwide enterprise security spending to total $96.3 billion in 2018, an increase of eight percent from 2017. WannaCry may not be the only culprit to thank here, as we have also seen other high-profile incidents over the last year such as NotPetya, and one of the largest breaches in history courtesy of Equifax. In contrast however, a survey conducted by AlienVault revealed that 14% of respondents had their budgets for IT security increased. Ultimately, only time will tell.
Spend it wisely
Regardless of funding and security budget, the most important factor in any security program is how it is spent. Always aim to maximise return on investment in terms of operational capability. Too often engineers are left supporting ad-hoc solutions because the technical leaders within an organization were not made part of the purchasing process. Empower your operational teams with tools fit for purpose and involve them in the security program design phase. Your boots-on-the-ground staff will always have the best insight into the pitfalls and challenges unique to your environment; challenges that management often overlook when trying to shoehorn the latest “Next-Gen” product into development. WannaCry has not only been a great opportunity for increased security budget, but also an opportunity for salesmen to have more leverage on their pitches for top-tier solutions. In the end we preach the same mantra: do your basics, and do them well. Implement a solid foundation and entrust your technical leadership to build from there.
As part of our consultancy ventures we have certainly seen an increase in the sense of urgency and importance of security solutions since WannaCry hit the headlines. Executive boards are more receptive, management are more efficient and system administrators welcome a helping hand opposed to holding a cross and holy water to any security assessment change requests. An enterprise client of ours stated that when the news broke, they caught up on over 14 month’s worth of patching over a single weekend. There are many similar statements, which begs the question: was WannaCry a blessing in disguise? We certainly hope so.