Two years ago, the Wannacry cyber-attack hit many businesses and public services. The scope of this attack, which is based on a simple lack of update, has certainly not renewed since then. But would this be the calm before the storm? It is crucial for all organizations to be concerned about the obsolescence of their applications and more generally the management of their IT risks to be less vulnerable to cyber-attacks.
Develop a culture of risk management
With the evolution of digital are naturally developing new threats, and groups of cyber criminals are multiplying and perfecting their hacking techniques. Data theft, fraudulent acts, destabilization, according to the European Commission, 80% of companies in the zone have been affected at least once by cyber-attacks since 2016. However, organizations do not always measure the extent of the danger that represents a cyber-attack. The culture of risk management progresses only during a painful or expensive confrontation with an attack.
This was the case of the NHS (National Health Service) in the UK. The public organization had tens of thousands of computers running Windows XP that were no longer maintained by Microsoft, and therefore did not benefit from updates. It was this flaw that the attackers exploited, impacting fifty hospitals that could no longer access their medical history management applications, and could therefore no longer perform any medical and surgical operation for several days.
Organizations are still too vulnerable to cyber-attacks
All applications and operating systems have flaws that are not always repaired by publishers in time, and too many organizations do not update their systems and software on a regular basis. These are the vulnerabilities exploited by cyber-hackers. They use the phishing technique, which involves impersonating fraudulent emails to steal data or money, and causing operational incidents or interruptions.
If CIOs are familiar with these risks, why are they still struggling to deploy IT risk management programs? Because updates require lengthy, resource-intensive preparation – a flaw can persist for several months before being corrected. But also because the pace of performance imposed is short-term, Board of Directors opposes deployments of security policies that require investment and that are only profitable in the medium and long term. Security is therefore too often seen as a cost center and not a profit center.
Set up emergency plan for cyber-attacks
And yet, after Wannacry, how much did organizations spend on technical investigation fees, legal fees, and insurance premiums. What were their unquantifiable costs in terms of business interruptions and loss of customer confidence? And how much effort and resources have been dedicated to securing customer data, regulatory compliance as well as improving cyber devices security? If the company’s victims of Wannacry have obviously not revealed its total cost, the consequences are still present.
With the idea of learning from this attack, companies (already victims or even future victims) should prepare to thwart the next attack, this by reducing the exploitable flaws by the attackers but also by minimizing the impact of an attack, such an attack on the entire enterprise.
Before reducing the flaws in question, we must first identify them: building a catalog referencing the entire range of applications and the technologies that underpin them in order to manage their obsolescence and their risks is a good starting point. As a result of this identification, companies can either migrate obsolete technologies to new, more secure versions, or remove dangerous application systems from circulation for redevelopment, or otherwise declare and manage the risk of continuing the use of obsolete technologies.
Once the vulnerabilities are identified and addressed, it will then be necessary to analyze the potential impact of applications made unavailable by an attack. This is made possible by an analysis of the processes and functions of the company that rely on the affected applications. The minimization of this impact can be represented by the setting up of an emergency plan.