Last week’s global outbreak of the WannaCry ransomware was not only one of the biggest malware infections, it’s prompting big warnings as well.
“It may be the WannaCry virus will be a watershed event for directors and officers liability in this area,” Bradley Freedman, national leader of the cyber security law group at Borden Ladner Gervais, said Wednesday at the annual Canadian conference of the International Association of Privacy Professionals (IAPP) in Toronto.
“And I say that because the primary result of it has been business disruption and financial loss. Shareholders are going to be asking what their directors did to make sure their organizations were doing the right thing to manage these types of risks. Did it have an appropriate patch management program? Was there proper oversight? Why was this organization running a [Windows] XP machine?”
Meanwhile at another session Rene Pelletier, IT audit principal in the Alberta auditor general’s office, said the attack “is taking us to a really ugly place:” What if attackers go after poorly protected Internet-connected industrial controls, he asked.
Asked in an interview why “watershed events” for directors should have happened years ago with big breaches like Home Depot, Freedman noted that the vulnerability attackers used in WannaCry was patched by Microsoft in March. “So there’s an obvious question: Why wasn’t that patch implemented? There may be good reasons why. But that’s an obvious question. And there’s been all sorts of guidance of the importance of patch management and an effective patch management program. And that that goes directly to governance and oversight and reporting.”
In his presentation as part of a panel advising on privacy and data breaches, Freedman noted that when it comes to cyber risk management courts say directors and officers have to consider the same things when making any corporate risk decision: Exercise the care of a reasonable person, and make “reasonable and informed and properly advised independent decisions.”
Perfection, he said, isn’t demanded.
Still, he said, it may be the WannaCry attack, which according to the U.S. infected 300,000 computers around the world, may be a seminal event for directors.
In making decisions in civil lawsuits relating to breaches on whether the organization took “reasonable care”, Freedman added, judges will look to what he called “soft law” — best practices, industry guidance, previous decisions in other jurisdictions.
In an interview he warned that the best practices may evolve rapidly. “That’s why people who work in this area have to keep abreast of evolving standards and practices.”
As part of her advice to the audience Nicole Godin vice-president of KPMG’s forensic practice, said increased collaboration between security and privacy pros will be key to fighting attackers.
In his session on ransomware Pelletier said organizations are playing defensive because they don’t share their knowledge with other firms.
He also suggested enterprises aren’t helpless. But they have do to the basics: Know what you information assets you have, where it is, make sure there’s a data backup strategy, have endpoint malware protection, email filters, make sure software is kept up to date, ensure employees have awareness training, establish support networks (with those in your industry as well as police), and have tested incident/data recovery procedures.
If successfully attacked, follow corporate procedures, restore, then review security controls to see what went wrong.
Canada, he noted, is the second biggest target for reported ransomware incidents after the U.S.
Arguably his most important advice for those who suffer a ransomware attack is don’t panic.
Ransomware works because it relies on ignorance and isolation of users, he said. “We all need to work together” on cyber security,” he added. “If we don’t we’re dead.”
In an interview he said “you talk to any organization and it’s still that old myth that ‘I’ve got to keep all the information about me to myself, don’t share anything because that makes you more vulnerablanging bue … That attitude is cht it’s tough to change. It’s been entrenched in the IT culture for a very long time.” But cyber criminals are highly organized, he said.