Following WannaCry, how should businesses protect themselves from cyberattacks?
If anything, 2017 will be remembered as the year of the cyber-attack. No business is safe. No industry is exempt. The ease with which cyber-attacks can be launched and virally propagated was brought home recently by the WannaCry ransomware attack. In less than 48 hours, it compromised more than 130,000 organizations in over 150 countries. This comes on the heels of an extensive phishing attack earlier this year that successfully caused numerous business to disclose the W2 information of their employees to hackers. It seems that not a week passes without a headline calling out the name of another business falling victim to an attack.
These attacks have adversely impacted stock value, resulted in the termination of executives, and have given rise to numerous class actions, Federal Trade Commission enforcement actions and sanctions, and investigations by State Attorney General’s offices. Officers and directors who fail to exercise an appropriate degree of care in addressing cyber security in their organizations are now facing personal liability.
In light of the foregoing, one would think businesses would make improving cyber security the top priority in their organizations. The sad fact, as highlighted by the WannaCry attack, is that many businesses haven’t even deployed the most basic of security measures. In fact, a recent survey found that 52% of organizations that suffered successful cyber-attacks in 2016 are not making any changes to their security in 2017.
Businesses just aren’t getting the message.
WannaCry should serve as the poster child for the world’s lack of preparation for cyber-attacks. Even though a patch was readily available, businesses didn’t deploy it. Even though one of the fundamental tenants of cyber security is to decommission systems and software that are no longer actively supported by their vendors, WannaCry highlighted the continued use by businesses of systems and software sometimes years after they had reached end-of-life and security patches were no longer provided. Even though the most recent statistics show that two-thirds of attacks of this kind result from failure to adequately train personnel, businesses have done little to improve employee education.
The United States’ security and privacy laws, regulations and industry standards generally have one thing in common: they each require businesses to do what is “reasonable” under the circumstances to protect their systems and data. As greater scrutiny is brought to bear on businesses suffering security compromises, it is likely many will be found to have failed to achieve that basic standard.
Businesses must take their heads out of the sand and view recent attacks, particularly WannaCry, as a clarion call to action. But before businesses are moved to deploy the latest security gadget, intrusion detection system, or firewall, they first need to focus on the basics of information security. In particular, all too often businesses are swayed by the siren song of the latest technology and fail to focus on the two most basic elements of information security, which are the elements that are almost universally viewed as some of the most effective steps a business can take to protect its systems and data. First, businesses must deploy a means of actively monitoring the availability of security patches for the technology and promptly implement those patches. Second, businesses need to focus on training their employees regarding information security, including phishing and ransomware. This means not only training employees when they are first hired, but continually updating that training throughout their employment and providing particular training when new threats arise.
While security patch deployment and employee training seem incredibly basic, as attacks like WannaCry bear out, many businesses simply fail to take advantage of them. In today’s environment, businesses that continue to do so will expose themselves to attacks that could severely impact their enterprise, result in substantial data losses or system unavailability, and give rise to potentially dramatic liability. It is never too late. Businesses need to start today to address these threats.
**Note** Originally published on CSO Online by Michael R. Overly. See original article here.
Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law. Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices.
Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.
Recognition
In 2010 – 2015, The Legal 500 recognized Mr. Overly for his information technology work in the U.S. In 2005, he was selected for inclusion in the Southern California Super Lawyers® list and also was honored by Los Angeles Magazine for this recognition. In addition, Mr. Overly was recognized by Chambers USA for his IT & outsourcing work (2013 – 2016).
Education
Mr. Overly is a graduate of Loyola Law School (J.D., 1989), where he was articles editor of the Loyola Law Review and elected to Order of the Coif, and Texas A&M University (M.S., electrical engineering, 1984; B.S., 1982). He was admitted to the California Bar in 1989.
Professional Memberships
Mr. Overly is chair of the Legal Working Group for the Cloud Standards Customer Council, an end user advocacy group dedicated to accelerating cloud’s successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud. He is also a member of the Computer Security Institute, the Information Systems Security Association, the Computer Law Association, and the International Technology Law Association.
Thought Leadership
Mr. Overly’s numerous articles and books have been published in the United States, Europe, Korea, and Japan. He has been interviewed by a wide variety of print and broadcast media (e.g., the New York Times, Los Angeles Times, Business 2.0, Newsweek, ABCNEWS.com, CNN, and MSNBC) as a nationally recognized expert on technology and security related matters. In addition to conducting seminars in the United States, Norway, Japan, and Malaysia, Mr. Overly has testified before the U.S. Congress regarding online issues.
Selected Publications
- A Guide to IT Contracting: Checklists, Tools and Techniques (CRC Press; December 2012)
- The Executive MBA in Information Security (CRC Press 2009)
- Negotiating Telecommunication Agreements Line-by-Line (Aspatore Press 2005)
- Software Agreements Line-by-Line (Aspatore Press 2004)
- The Open Source Handbook (Pike & Fisher 2003)
- Overly on Electronic Evidence (West Publishing 1998)
- E-Policy: How to Develop Computer, E-Mail, and Internet Guidelines to Protect Your Company and Its Assets (American Management Association 1998)
- Document Retention in The Electronic Workplace (Pike & Fisher 2001)
[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.