The WannaCry and Petya attacks caused disruption on a colossal scale over the last few months, effecting businesses around the world.
In theory, the cost of damage in trade and reputation should have sounded alarm bells and jolted businesses into tightening their security systems to mitigate against such attacks in the future. But has it done this in practice?
Tripwire, a provider of security and compliance solutions for enterprises and industrial organisations, conducted a survey to find out how confident security professionals were that organisations had made appropriate security improvements since the WannaCry and Petya attacks.
>See also: A necessary wakeup call: how the WannaCry attack was a good thing
Unfortunately, over two thirds (68%) of respondents did not feel confident that enterprises overall have made the necessary improvements to better protect against cyber attacks, in spite of this year’s major global attacks. This lack of confidence could be down to a lack of action from organisations implementing practicing critical security controls.
It was found that nearly a third (28%) of security experts felt the biggest issue for a business is not knowing what devices are on the network. This was followed by concerns on how organisations manage vulnerabilities (14%), manage administrative privileges (6%) and pay attention to audit logs (6%).
Still, the majority (40%) believed there was not one root problem and that organisations were failing at all the above.
>See also: NHS Trust successfully fought back WannaCry ransomware with AI
Tim Erlin, VP at Tripwire said, “No matter how big or small your organisation is, you have to have a serious attitude towards security. If you were lucky enough not to have been affected by WannaCry or Petya take it as a sign. Remember, you don’t have nine lives. All it takes is one data breach or another WannaCry and your company has lost data, money, credibility and most importantly, customer trust, which is one of the most difficult things to recover.
“Adopting best practises and leveraging critical security controls will continue to be the best bet for defending against advanced adversaries and can help close the gap within a business’s security infrastructure. There is research that supports the claim that the vast majority of attacks are due to known vulnerabilities and most of these breaches occur from exploits that have been left unpatched. It is important to understand that good security hygiene will greatly reduce the effectiveness of an attack and goes a long way to making the attackers job more difficult.”
>See also: Don’t be held to ransom: identifying exposure to WannaCry and ‘Petya’
On the plus side, the overwhelming majority (84%) of security professionals said that their organisation is making appropriate investments in mitigating its cyber security risks. When you consider the severity of the average cost of a global cyber attack, it’s a welcome sign to see enterprises budgeting for cyber defences.
“It’s good to see businesses investing in security defences. However, it’s about purchasing the right technology that’s suited to that company and to understand that technology it not the only solution. Enterprises need to remember to focus on the fundamentals of security. One of the most important tools, and probably the one that gets overlooked is education. Malware attacks often rely on social engineering and playing on the weakness of human nature. The recent malware attacks are perfect examples of where a sound, consistent education programme could have either prevented or reduced the impact of the attack.”
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here