I will say this only once. Just because WannaCrypt turned out not to be the end of the world, and Microsoft unexpectedly released patches for unsupported operating systems, and Trump dropped the ball again, and there’s an election in the UK, and you’re bored with cynical marketing emails from IT companies, so you’ve moved on…it isn’t all ok now.
ShadowBrokers, the group behind the release of the NSA hacking tool that made WannaCrypt work, have threatened to release lots more exploits, some of them allegedly much more sophisticated, unless they’re paid off. And, I suspect, even if they’re paid off. Combining this state-security-agency-grade stuff with standard-issue ransomware, backdoor Trojans and other nasties is not difficult. If you want evidence, consider that the so-called “kill switch” in WannaCrypt was a rookie coding error, not a deliberate design feature. Some half-skilled criminal (or North Korea’s state cyber-warfare unit, if your tinfoil hat still fits) bashed some existing tools together with the digital equivalent of a mallet and the world melted down to the point where the last remaining talking head not actively involved in trying to restart the NHS, and so available for interview, was me.
And let’s not forget that there’s still a $450bn industry out there trying to steal your money. The “success” of WannaCrypt won’t stop the phishing scams, the whaling attacks, the endless drive-by malware, the POS compromises and so on and so on ad nauseam.
Get your act together now.
- Get some security awareness training.
- Lock down your perimeter.
- Get control of user privileges.
- Upgrade and update.
- Get certified – at least to Cyber Essentials; it’s basic, but it’s a start.
Then, when you’ve done that, you can worry about GDPR, and PCI-DSS 3.2, and the IPA, and the Privacy Directive and all the other regulatory change that’s coming down the road.
If you carry on sticking your fingers in your ears and singing “la-la-la I can’t hear you”, or you persist in believing that your over-stretched IT manager can keep all of this under control without any additional budget or any help, I will have no sympathy for you when it all goes wrong.
(ps. The bit about saying it only once? Not true.)