Here are my top 5 things everybody (including organisations) should do to limit the risks and fallout from cyber attacks like WannaCry:
1. Update your software on servers, desktops and mobiles
This may be difficult with older systems and if you don’t want to upgrade or pay for patching, your cost of being out of business for a while or paying a ransom is much higher. A lot of attacks work because people don’t patch or update software and have no backup plan.
Ransomware as a business opportunity is sustained because so many victims have no other choice but to pay up.
2. Have a backup plan (or disaster recovery plan)
Mitigate against ransomware or loss of access through a clear disaster recovery strategy. Not being able to use any of your services, including email, will likely cost you a lot of money. How long is OK for you to be closed for business? How long is a history of changes to files and data OK to lose when recovering from backups? How do you effectively communicate when your core services are compromised?
Ask yourself these questions and put in place ways to recover from an attack, quickly.
3. Improve your team’s digital skills
A lot of attacks start because somebody accidentally clicked on a link or opened an attachment without thinking too much about the implications. Make sure the people you are working with know the basics to protect against falling for phishing scams and other nasty surprises. Don’t be embarrassed to ask for help – become knowledgeable.
Protect your senior staff, including the CEO(!), as there has been an increase in malware and phishing targeting business leaders. Train all the people.
4. Secure your networks and devices
Sounds simple but with everyone being in the cloud these days, it’s harder to cover all the points of entry. Have an effective way to deal with staff, customers and guests bringing their own devices onto your network (BYOD).
Test all aspects through an objective security assessment and think what an attacker would do, not what you or the auditors want.
5. Reduce business risk through resilience
Build resilience through looking at common ways how businesses and users are attacked and adjust your planning. Define clearly how you will respond, including through PR/Marketing, to an attack. This goes beyond basic disaster recovery when services become unavailable.
Penetration testing shouldn’t be the only tactic to assure yourself. Carry out security audits and look into offering bug bounties too, if you develop any kind of code.
Do you have anything to add? What are you doing to mitigate against the risks of cyber attacks on your business?
Image credit: Simson Petrol
Also published on Medium.