2017 was a big year for large-scale attacks. Just weeks after WannaCry crippled the NHS and broader industries, NotPetya hit. One year on from NotPetya, it seems lessons still haven’t been learned.
NotPetya targeted a range of businesses – from shipping ports and supermarkets to ad agencies and law firms. Once in a system, the code sought to destroy files. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains.
With stretched budgets, IT teams are too often short on the resources required to conduct manual patching. So, it doesn’t take long for hardware to become increasingly outdated, software to become increasingly unstable and IT training to be left by the wayside. The result is an environment where basic security practices are being forgotten. This lack of IT security awareness is in stark contrast to the number of technological advances we’re seeing across all industries. More worrying, it’s an opposing trend to the increasingly sophisticated techniques being used by hackers, who are innovating at a far greater pace than IT teams can handle.
A year after NotPetya, the adage of prevention is better than cure remains true. Our recommendation is clear: go hack yourself. Ethical hackers use the same tools, techniques and methodologies as the ‘bad guys’ behind the likes of NotPetya, WannaCry, and more. They know what organisations should do to limit their exposure and vulnerabilities regarding network security. Most software has an inherent weakness, as it is written by humans – whereas criminals are using automated tools to scan software code for vulnerabilities. So, the chips are stacked against the IT teams already, and engaging in ethical hacking practices can rectify weaknesses before criminals can exploit it.
The issue of cybersecurity goes beyond the industries making the front pages for breaches of cybersecurity. According to the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018, around 43% of UK businesses have experienced a cybersecurity breach in the past 12 months.
This highlights the fact that you cannot retrofit security and protection is a continuous activity spanning many areas including Life Cycle Management. The most secure organisations do not adopt one-size fits all approach, but instead, take a proactive approach and implement robust security practices that match the nature of their organisation.
Cyber security resilience must be approached logically, regularly, and in response to the context of the environment in which it operates. This means security teams must be working towards assessing risk levels and identifying assets (which should be simpler in a post-GDPR world). Only then can potential countermeasures be considered, continuity plans put in place, and vulnerabilities detected and managed.
The security chain is only as strong as the weakest link, which is why security risk must be consistently approached in a cyclical manner.
NotPetya exposed just how primitive an approach many organisations are still taking towards cybersecurity, despite the daily warnings and threat of breaches. Organisations can’t afford to wait any longer before addressing the most basic of security concerns. The good news is – these practices are manageable, and with solutions providers, ethical hackers and IT teams working in unison, we can prevent the impact of the next NotPetya.
Charles Eagan is chief technology officer, BlackBerry
