Incoming: I Just Wanna Cry Again, This Time Over Ransomware

In business as in life, whenever something goes terribly wrong, there is a reflexive tendency to start talking about what should have been done and to affix blame instead of focusing on how to move forward successfully. Cyber attacks are certainly no exception.

I simply WannaCry.

The virulent ransomware strain known by this name seized control of computers until victims paid an extortion fee. At least 100 countries were affected in mid-May, and Britain’s National Health Service (NHS) was hit hard by the massive encryption of sensitive data, locking doctors and nurses out of patients’ records unless they ponied up. One-fifth of NHS trusts—the regional bodies that run British hospitals—were affected by the global ransomware campaign, which also took down the information technology systems of general surgeons and dentists across the country. 

The WannaCry breach is yet another sign that government enterprises must perform in-depth network security reviews to identify vulnerabilities and prioritize resources to ensure that “crown jewels” remain protected. This is an important step for agencies to move toward a more proactive stance in safeguarding their information technology environments. 

The NHS is no different from other government agencies in that its information technology is in a state of flux, driven by changing behaviors and increasing demand for services, in addition to quickly evolving mission requirements. It needs to take a strategic approach to achieve equilibrium between securing mission-critical systems and ensuring access to modern technology that delivers results for end users. Scarce resources have to meet mission needs even as cyberthreats are increasing and becoming more sophisticated.

Adding to the challenge are the urgent and often competing calls for implementation of the next one-off cure-all put forward by well-meaning administrators but insufficient for securing entire enterprises. These products are important in addressing some of the latest threats, but when implemented outside of a holistic plan, they will fail.

After a major cyber attack such as WannaCry, the conversation about solutions needs to rise above information teams to overall agency leadership. Tough decisions must be made about security, and stakeholders must realize that security is the responsibility of all network users. It is not solely an information technology function.

Part of the conversation should center on budget decisions. About 80 percent of information technology budgets are allocated to prevention efforts such as intrusion detection, firewalls and anti-virus software, with the remaining amount spent on security information and event management. The biggest investment should be made on the active phase of information movement to secure the agency’s future information technology environment. By implementing a holistic security strategy, agencies can shift resources to areas such as end-user education efforts, infrastructure modernization and post-breach mitigation efforts. Strategy must account for what is mission-critical as opposed to a more traditional blanket approach of protecting everything at the highest level. 

Government agencies tend to try to protect every application on their networks equally. With most of their time, attention and budget focused on the prevention phase of the security life cycle, agencies and their industry partners need to recognize that not all data is created equal. Security should be applied in layers, with priority given to the most important data.

The problem is that government agencies often do not differentiate between new and legacy applications, and insider risks are not sufficiently mitigated. Too often, all applications are viewed as needing equal protection—even redundant or outdated programs. Every agency must rationalize the information being used on its network. Creating a holistic plan ensures that assets and vulnerabilities are identified, and then those that need the greatest protection can be prioritized. The goal is to understand where valuable data is under the greatest threat and allocate resources to defend it accordingly.

Hardware and software modernization and rationalization by themselves are not enough to protect enterprises properly. Insider risks are among the most common issues all organizations face. Government agencies also must deal with the occasional corrupt insider, but far more frequently, these are insiders who inadvertently make security mistakes.

These basic lapses result from inadequate security training and security protocols that have been allowed to grow old and out of date. Regular security housekeeping means setting up schedules and procedures for network hygiene and establishing training and refreshers for agency employees.

If the WannaCry attack teaches us anything, it is that this event was preventable. The victims only needed to keep up with the latest operating system patches. Simply abide by the N minus 1 rule: Never be more than one version out of date. And patch—always. In addition, endpoint management as well as effective network controls, network monitoring and device backup can help. Then none of us will have to cry again.

Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of the Enterprise Security Solutions Group for DXC Technology (formerly known as Hewlett Packard Enterprise Services), U.S. Public Sector. The views expressed here are his own.