This is no time to be smug, or to feel secure. Laurence Eastham calls for mature reflection and constructive action as the ransomware attack tempts some into schadenfreude and others into doom laden panic
Hark from the tomb a doleful sound, mine ears attend the cry
‘Ye living men, come view the ground where you must shortly lie’.
Those words (Snake Island, Isaac Watts, 1709) are the opening lines from a song the Lingmara choir performed last week – I was at fourth bass. The lines came to mind as I read more and more reports on the recent ransomware attacks. Cyberattacks are, it seems to me, a lot like death – we all know it is going to happen to us but we spend most of our time carefully avoiding confronting the fact, bar the odd life insurance policy and (for a minority) a will.
Once the warm glow of not running Windows XP has passed, the reality dawns that no organisation of any substantial size is safe from attack. Which organisation can guarantee that not one of its employees would ever click on a link or download from a strange email? Recognising that and the limitless folly of humanity (including the folly of those with admin passwords), even those with great IT security resources might muse on the lines from Isaac Watts that follow his cheerful opening:
Princes, this clay must be your bed, in spite of all your towers
The tall, the wise, the reverend head must lie as low as ours.
I suspect that Isaac Watts would have prescribed a combination of prayer and acceptance; I think he rather liked doom and gloom. But I’d like to fast-forward a couple of poetic centuries and advocate a bit of constructive raging against the dying of the light.
Law firm IT directors and those with security responsibilities will never have a better opportunity to upgrade their budget and equipment. It is not an opportunity to be missed and it is a brave person that refuses them at the moment. Patch and upgrade – obviously - but be wary of the snake oil salesmen who will see this as their perfect opportunity to sell irrelevant extras. A lot of any extra money should go on staff training because that will always be a weak link – the wetware is the contributory cause of most security problems, probably including this latest one. (And beware an avalanche of unsophisticated phishing attacks on the back of Wannacry.) Follow the National Cyber Security Centre guidance on Wannacry and the broader guidance on protecting against ransomware. Back up, and back up again, and consider the efficacy of a remote back up – and retain back-ups for ages (as some nasties have delayed triggers - almost a year in some cases). If you are cursed with old operating systems, consider locking the core of the machines down so no external program is allowed to launch or modify the settings. You might also review who has access to what – limiting access within communities can be good data protection policy but also has the effect of limiting damage.
The closing lines of Snake Island might suggest that Isaac Watts was many centuries ahead of his time:
Great God, is this our certain doom and are we still secure
Still marching downward to the tomb and yet prepared no more?
While attack is certain, doom and this particular tomb are optional. Be prepared. And maybe pray a little.