WannaCry hit UK organisations hard. By equipping their people to defend against cyber crime, the same organisations can make WannaCry the last big attack they suffer.
As I write this, on the afternoon of the 15th of May, 2017, several things are happening in response to the cyber attack WannaCry.
First, Information Security Officers and IT personnel all over the world are rolling out updates and security patches, in an effort to prevent a WannaCry infection, fuelled no doubt by several more high-strength coffees than they’d otherwise drink in any given period.
Second, affected businesses are debating overcoming WannaCry by paying cyber criminals sizeable ransoms. Some are rolling the dice. Others are standing firm.
Third, international organisations are working to track down those responsible to both nullify their operation and prove to an awaiting world that cyber criminals will be brought to justice.
The fourth is most important
The fourth is most important.
While most of the world remains otherwise occupied in preventing, battling and overcoming the biggest cyber security scare so far recorded, someone, somewhere is watching and plotting.
This person – or, more likely, group of people – is not interested in WannaCry. Not directly, at least.
Because these are the people planning the next great attack.
How the mind of a cyber criminal works
WannaCry is not the first great cyber attack we’ve ever experienced. And, sadly, it won’t be the last.
Those that know CybSafe know that we’re not interested in hyperbole and fear-factor marketing. Cyber risk is real and we don’t need to dramatise it any more than it already is.
We’re interested in what can be done to protect ourselves against it.
So the fact remains that no matter what happens in response to WannaCry – no matter how many devices are updated and technological solutions laid out – another large scale attack is likely to eventually occur.
There’s a good chance the attack will be equally as devastating and affect numerous organisations, families and people – just like Friday’s attack.
This is unless companies do something to change their people’s behaviour when it comes to cyber security.
Unsupported software & security vulnerabilities
It’s still unclear precisely what caused WannaCry and it’s equally unclear if any single entity could have done anything to prevent it.
What is clear is the attack would have been a great deal more muted if it wasn’t for people running out of date, unsupported software with known security vulnerabilities.
It’s quite likely that many of the people using this software were aware they were running a security risk. They were most likely aware, maybe after training, that cyber criminals can and do take advantage of insecure software to hack into systems and hold companies to ransom.
So it begs the question:
Why, when people know they’re running such risks, do they fail to put their cyber security knowledge into practice? And what about those that don’t know any better?
The answer lies in human psychology.
Psychologists and behavioural scientists frequently prove humans are hardwired to underestimate risk, seek short-term gratification and ignore evidence that fails to align with an existing worldview.
Taking each of those in turn, it would appear we humans
- Underestimate the risk of a cyber attack
- Struggle to take appropriate measures to safeguard ourselves against cyber attacks
- And convince ourselves we’ll never be victims of cyber attack, despite the fact cyber crime happens every day
The three quirks combined go a long way to explaining why we’re comfortable running unnecessary risks and how WannaCry escalated so quickly.
Given human psychology, and given WannaCry won’t be the last cyber attack ever launched, is there anything companies can do to safeguard themselves against the cyber attacks of the future?
How to change our people’s behaviour
As it happens, there is something companies can do.
Once companies know what’s stopping their people from following best practice, they can react accordingly.
Companies struggling to change their people’s behaviour can take advantage of things like simulated cyber security attacks, for example, By making cyber attacks real, simulated attacks remedy each of the above three biases at once.
It’s rare that I use the CybSafe blog as a promotional channel. But in the wake of WannaCry it feels irresponsible to do anything but.
Through changing the behaviour of the people that make up workforces of varying sizes, CybSafe helps transform people from posing a risk (or being a vulnerability) to being an asset in the fight against cyber crime.
When we and our colleagues are switched on to the risks of cyber crime, a cyber criminal’s fortunes are immediately reversed.
People are almost always a company’s greatest, most under-used resource.
By investing in them correctly, a company’s employees can become its most reliable defence.