Everyone is talking about the WannaCry ransomware attack lately. People discuss how it happened and how to protect you from it. It’s perfectly okay to discuss all these, but now that it happened, what we really learned from WannaCry?
Going back to the root, this isn’t a zero-day attack. Microsoft had already released a patch for the “Eternal Blue” vulnerability, which was the main cause for the WannaCry attack. If this isn’t a zero-day, why did these much of systems got compromised? Is it a fault of the IT divisions of companies? Should the blame be put on the Chief Information Security Officer (CISO)?
If we have a closer look at what happened, it’s not only the lack of patch update but also the lack of awareness regarding information security. Most of the users have been compromised via an email, which contained a malicious attachment. If the attachment is opened, the system gets compromised. And then spreads through the LAN, the whole LAN could be compromised. On the other hand, if the user didn’t open the attachment, then the whole company might be on the safe side.
Information security education is important
Stakeholders of companies invest their money in purchasing IT infrastructure and implementing the best possible protection mechanisms. But very rarely, they invest on employee’s education regarding the threats in the field of information security and how to be preventive. I am not saying about the training you give to the IT staff, but about the education not given to the entire computer users.
Stakeholders should think and compare the investment needed to educate the employees and the investments needed to recover the organization from such a huge attack. More compromised systems, more the ransom to be paid 🙁
No matter how many skilled IT professionals you have in your organization, if an ordinary user makes a mistake, then your whole company might be at risk.
You could be a victim today, or maybe tomorrow!
As you read this post, a malware may affect one of your employees or may be you. Maybe you must have been a victim already without your knowledge. It may not be WannaCry, but may be another one.
Ask yourself whether you know what should be known? What is the level of knowledge you have regarding cyber security? What level of knowledge your employees have? What losses may you face if you are compromised? Ask yourself.
If you want your company to be protected, or if you feel you or your employees need more education in information security, come to us. Get yourself educated and protect yourself from such attacks and losses.