Five steps for business after WannaCry cyber attack

WannaCry reveals some important facts about our dependence on the internet and IT

The global WannaCry ransomware attack has highlighted that cyber attacks are not the responsibility of the chief information security officer (Ciso) but of the organisation and its leaders, who must actively gauge their IT dependence and invest in the risk treatment options that best match their business.

Stakeholders must now assess the short-term effects to profits or margins to pay for risk treatment and resilience, which are vital investments for the overall longevity and health of the organisation.

There is a misguided view that information risk is a technology problem to be managed by the information security and IT functions.

There are many extremely talented people and professionals working on the front lines of cyber and information security who consistently give of their best, not only day-to-day, but also in times of crisis. Their efforts should be applauded and recognised.

The challenge of securing organisations and societies goes beyond the resources of these professionals, their governments and the small pockets of deeply technical experts that analyse the threats. Everyone must respond to this growing threat.

The indiscriminate nature of the WannaCry attack demonstrates that every individual can be a target whatever their sector or organisation. Well-publicised breaches of shopping, email and other providers have given criminals easy access to current email addresses, often the gateway for attacks, including WannaCry.

Further, the sheer number and variety of systems used in any industry means that an attack will always be likely to succeed at some level. The presence of unsupported applications, operating systems and other software – often required for valid operational reasons – only raises the probability of success for an attacker.