The WannaCry ransomware attack has highlighted a serious problem. If there is negligence in your IT strategy, you are increasingly risking the functioning of your organisation, and the privacy of your customers. If you are being careless with data you don’t own, and of which you are legally only the custodian, if you are storing personal information in ways that are against the law, then you face an increasing risk of prosecution.
The WannaCry attack wasn’t exactly ‘targeted’ as far as we know. America was remarkably unaffected, as was most of European commerce. It was discriminating in that it could attack only those organizations with chaotic IT. Organizations who, despite warnings, were storing departmental data, organizational data and sensitive personal information on PCs with unpatched operating systems. This data should have been placed on a server securely, backed up, audited, and subject to planned high-availability and disaster recovery.
The security aspects of WannaCry are interesting. Exploiting a known vulnerability in Microsoft’s Server Message Block (SMB) file-sharing services, on unpatched versions of Windows XP, the WannaCry virus could encrypt every file visible to the users, even over a network connection. It could also have copied anything it considered valuable to a remote server. One hopes that the NHS networks would have spotted this traffic.
I happened to call into my dentist the morning after the attack. All their systems were down, not because of any attack, but because the part of their network that was shared with the NHS was down. Was that overload? Has the data of the healthcare of the entire UK population been copied to the dark side of the web? I have no idea, but we know for certain that highly-sensitive private data was wide open to what was frankly quite an amateurish attack. This would, for a private company, risk prosecution by the Information Commissioners Office.
We also don’t know who else may have exploited this SMB vulnerability, when, or how. We could wait a while before finding out. There is often a long time between a data breach and the confirmation that the data was made public: six months (Trillian) is not uncommon. The patients of the National Health Service have a right to know a lot more about how their data is held because, even if no data was stolen this time, important databases were compromised, with personal data rendered unavailable for the purposes for which it was collected.
Is the WannaCry incident a wakeup call for the industry? Certainly, it serves to demonstrate that cowboy IT practices that neglect both security and sensible backup really do harm organizations and their customers.