WannaCry Ransomware Crisis – Lessons Following the Tears

On Friday, May 12, 2017, a ransomware dubbed “WannaCry” claimed hundreds of thousands of victims in at least 150 countries. It demanded a payment of at least US$300 to release files and data, or to recover computer access.

The ransomware exploited a vulnerability in machines running older, unpatched versions of the Windows operating system. Reported victims of the ransomware include commercial entities, telecommunication providers, government agencies, and even emergency service providers.

One clear lesson as we look to deal with the next cyber crisis is that technological infrastructure is more fragile than previously thought. That means firms need to consider the growing risk of business interruptions resulting from cyber incidents.

Greater connectivity and complexity among IT networks increases the risk that such disruptions will cascade. Such effects may be felt even when your firm is spared a direct hit, but suppliers or other business partners fall victim. In today’s world, many businesses consider IT and communications outages the leading cause of supply chain disruptions, and these can lead to significant losses.

Key Takeaways from this Incident

1. Cyber is not merely an IT department issue. It is a risk issue for everyone in the organization to deal with. To insist it is only an IT department issue is akin to insisting the government security and military agencies are the only parties responsible for fighting terrorism. 
2. Just like terrorism, even the best security measures are unable to totally prevent cyber incidents. It is important to work on resiliency and crisis plans to supplement the security measures. 
3. Nobody is ever 100% safe from cyber attacks. A case in point: The WannaCry crisis originated from a breach in the network of the National Security Agency, a military intelligence organization within the US Department of Defense. It should be safe to assume that they had some of the best IT engineers working on their systems which were ultimately breached. 
4. The most common source of cyber breaches: human error/carelessness. When the system is breached, it is not necessarily the fault of the IT department. 
5. Outsourcing IT functions does not outsource your liabilities to your clients, business partners, employees, and regulators. 
6. Studies have shown that many individuals around the world believe their lives can fall apart if they lose their mobile devices. The loss of data or functionality of their networks can also have a similar devastating effect on businesses. There have been cases of otherwise-profitable businesses which have collapsed because of cyber incidents. 
7. It is not just the loss of data that is at stake in a cyber attack. The reputational loss from having customers’ personal data exposed can sink a business overnight, especially when trust or goodwill is critical to the relationship between the business and its customers. The loss of data, therefore, is not necessarily proportionate to the reputational and business loss. For example, a bank may lose 10 customers’ data, resulting in their personal information being compromised. The direct financial impact from this may be manageable to a bank – simply compensating these 10 customers for their losses. However, once this piece of news is reported in the media, the bank’s reputation takes a hit, and thousands of other customers may decide to take their business elsewhere. As a result, the financial fallout from that reputational loss will be much greater.

For more details, please download a copy of the risk alert.