CEB Blogs


Information Risk

WannaCry Attacks: Communication and Culture More Important than Fancy Technology

Almost all successful cybercrime attacks exploit vulnerabilities over a year old; companies are far better off engaging and explaining to employees how and why they must be vigilant at all times

While the rate of WannaCry infections slowed down over the weekend, the threat is far from over, especially as researchers now think it may have connections to the North Korean regime.

As ransomware emerges as one of the principle cyber threats for governments and companies around the world, WannaCry variants exploiting the same Windows vulnerability have already been reported. Sophisticated attackers will seek to exploit other vulnerabilities, too. Fake WannaCry decryption tools are also emerging, so a rash of targeted phishing schemes that exploit the panic surrounding the latest attack may follow in short order.

How to Respond

While firms are allocating increasingly large portions of their IT budget to advanced cybersecurity capabilities, throwing more sophisticated tools at these attacks is not the best way to stop them.

The WannaCry crisis and predictions about future threats suggest that CIOs and senior information security managers should center cybersecurity strategies on the more mundane tactics of controls hygiene and employee awareness, not just advanced cybersecurity tools.

  1. Prioritize controls hygiene over advanced tools and capabilities: More than 90% of successful attacks exploit vulnerabilities over a year old. And while Microsoft released a security patch two months ago for the vulnerabilities that WannaCry exploits, attackers could still exploit the vulnerability in hundreds of thousands of systems.

    While the fix seems obvious, CIOs and security professionals should develop incentives (including in employees’ performance ratings) to encourage other teams in IT and in the wider company to take the right action and hold them accountable for their hygiene responsibilities.

  2. Concentrate resources on employee awareness and behavioral change: Successful high-profile attacks unleash a wave of copycat attacks exploiting the same and related vulnerabilities. One out of every two breaches can be traced back to insecure employee behavior, so cybersecurity strategies should focus on creating a company culture that values secure behavior.

    This means defining and identifying behaviors that underpin a “security mindset,” and instead of viewing employees as risks that must be mitigated, using their intimate knowledge of their workflows and other processes to enlist them in detecting incidents.

Most importantly, the most forward-thinking firms don’t face their cybersecurity challenges alone, but rely on the collective wisdom of their peers to share information on the threat, and rapidly respond to new and ongoing challenges.


More On…

  • Information Risk Management

    The rising importance of information risk has dramatically changed the opportunities for CISOs. Information Security budget and headcount have increased more than 200% in the past four years. Learn how to make the most of all those resources.

Leave a Reply



Recommended For You

Information Security: The 8 Types of Risk Assessment You Should Know About

Given it's such a common term, understanding each of these categories can help information security...