In the Wake of WannaCry, Is Old Technology Leaving You Asleep at the Wheel?
It’s no secret that the recent global ransomware attack, fittingly named WannaCry, has left businesses, government agencies, and healthcare organizations reeling. Infecting more than 300,000 computers, the attack caused organizations to scramble to secure their IT infrastructures. Not only did the attack expose many individual organizations’ shortcomings in their security programs, but it also exposed some major shortcomings on how many organizations approach cybersecurity and the attack provides some key insights to help us better prepare for future attacks.
During this event, we have heard the typical cybersecurity advice, such as being wary of email attachments and links, paying attention to security patches, and educating employees on suspicious language that is atypical, vague or out-of-place. And while those best practices are still important, the WannaCry attack exposed the biggest vulnerability in most organizations — outdated technology.
Older versions of operating systems, and most software in general, often do not receive continuing support in the form of the latest patches and security measures. It is these unsupported, outdated technology solutions that often prove to be the most vulnerable—and often ignored—elements of the IT infrastructure. It could be the printer server sitting in the corner and running a 90s-era operating systems, a perfectly functioning piece of equipment from a long gone manufacturer, or a forgotten bit of hardware sitting in a wiring closet somewhere. Indeed, that’s precisely how the infiltration occurred for many WannaCry victims.
One of the most effective practices against ransomware, and all cyber threats, is deploying newer technologies that are designed or have been updated to prevent the types of attacks we saw with WannaCry. It’s actually similar to buying a new car. Older software was not designed for the threats of today, just like cars of the 1970s didn’t have nearly as many safety features as today’s automobiles. Most modern day cars are designed with updated safety features conceived in their initial design stage—not just airbags but lane departure warnings, backup cameras and even alarms that go off when they sense you’re getting drowsy behind the wheel—much like today’s latest software and operating system advancements.
This attack has reminded us how vulnerable digital organizations around the world can be when it comes to cybersecurity, and as cyber threats continue to grow, it will become even more critical to have secure systems in place. A responsible owner doesn’t just budget to buy a car, she maintains it to keep it safe and when safety parts are no longer on the market, moves on to the new model. Technology that protects our most critical data merits a similar investment.
As an attorney and engineer, Ken Mortensen is a privacy and security professional with over 20 years of legal and over 30 years of IT experience. Based in Cambridge, Mass., Ken currently leads Global Trust and Privacy at InterSystems as the Data Protection Officer. He works globally across the company to enhance information privacy, governance, and cyber risk processes. Before InterSystems, Ken served in a number of chief privacy and security roles for PwC, CVS Health, and Boston Scientific. Also, he served in the Bush (43) Administration as the Associate Deputy Attorney General for the Dep't of Justice, where he was the primary counsel on privacy and cybersecurity supporting law enforcement and foreign intelligence activities. Before Justice, Ken joined the Dep't of Homeland Security early in its existence, eventually becoming its first Deputy Chief Privacy Officer. Prior to that he had his own law firm, was special counsel to the PA Attorney General for cyber issues, taught at Villanova University School of Law, and began his career at Burroughs as an Electrical Engineer doing information assurance.