Learnings from WannaCry after 30 days

Guest written by Charles Habak, Vice President and Wayne Loveless, Principal at Booz Allen Hamilton MENA.

WannaCry (Wcry) represents the latest version of a growing threat called ransomware – a tailored piece of malware designed to exploit specific vulnerabilities in the operating systems of its victims’ computers.

Malware outbreaks are not infrequent, but Wcry spread so rapidly that it revealed vulnerabilities in the business planning, employee preparation and internal procedures of organisations all over the world. A majority of affected systems were running outdated versions of software, with no access to updates because the vendor had phased out support to these legacy systems.

The financial services industry is no stranger to the phenomenon of outdated software. Many of today’s financial systems still run on UNIX based platforms developed in the 1980s and 1990s, which often are no longer supported by vendors.

What the financial sector can learn from the Wcry fallout is the importance of investing in a sound risk management framework that involves technology change management as well as updated software – all of which could have prevented Wcry.

Investing in a sound backup and continuity plan can also enable organisations to quickly rebuild and recover systems in the event of a cyber-attack or ransomware impact and eliminate any need to pay ransom. Most law enforcement agencies and cyber experts would caution against paying the ransom as it may open the victims up to further exploitation and potential identify theft.

Financial services organisations and their leadership have a duty to protect their customers’ financial interests as well as their own institutions. This begins with a dedicated cyber agenda at the Board level along with the formation of a cyber security action committee reporting directly to the CEO.

Bank-wide vulnerability assessments across all of the business units that are C-level driven and business-aligned should be prioritised. Additionally, a dedicated cyber security business unit should be formulated with the goal of assessing and implementing new types of capabilities, processes and functions to combat growing threats.

Finally, encouraging bilateral and multilateral communication mechanisms with other banks in the marketplace, and interfacing with regulators to inform of threats and share information of potential breaches as well as threat intelligence from local, regional, and international partners can provide the contextual understanding needed to proactively defend institutions from future threats.