Infosec Compliance Awareness Saves Lives from WannacrysPublished May 18, 2017 by Ken Lynch • 6 min read
On Friday, May 12, the WannaCry ransomware attack proved the importance of infosec compliance awareness. The weaponization of the Microsoft software’s vulnerabilities shut down the UK’s National Healthcare System proving infosec compliance awareness is not just to computers but to people’s lives. WannaCry taught us that those updates can be a matter of life and death. In this case, an entire country’s healthcare system closed except for emergency services. Arguing fault, be it NSA, Microsoft, or the organizations affected by the attack, matters little when the health and safety of an entire nation rest on cybersecurity.
Government, and indeed some corporate, systems are notoriously outdated. Refitting an organization that includes thousands of employees costs money. With older computers and older operating systems, updates slow down productivity by taking a long time to install and restart. It’s easy to think, “no one will die if I don’t install this update.” The information security community needs to better promote infosec compliance awareness as integral to people’s health and well-being.
Infosec Compliance Awareness Is A Matter of Life and Death
Infosec Compliance Awareness is More Than Financial Well-Being
The importance of infosec compliance awareness often filters through organizations as discussions of return on investment. Big business C-suite executives look to their CISOs and CIOs to manage risks for the least amount of money. These risks are calculated by the impact on reputation leading to lost profit or in terms of dollars lost due to a breach arising out of noncompliance. Richard Clarke at ABC News explains,
CEOs and board members do not like to get into the weeds of their networks’ management, but they need to understand issues like “patch” policy. They need to know when their systems are at risk and for how long.
Whoever sent WannaCry into cyberspace may not have done it for the money. Thus far, they have collected relatively little money, far less than they have cost companies and governments…. Do you think we will learn those lessons this time? Past experience suggests we will not.
With this in mind, the infosec community needs to use this as a call to action for protecting not just information but people. If businesses will not or cannot take the necessary steps to upgrade and update their IT environments, then the information security community needs to come together to ensure the protection of these assets. Updating software to incorporate patches may seem like a hassle or a monumental task. However, these updates are part of the information security compliance landscape. An organization with a strong culture of infosec compliance awareness will have incorporated potential zero-day flaws into their risk assessment and risk treatment/management.
Increased Ransomware Attacks Highlight the Importance of Infosec Compliance Awareness
Ransomware infections have increased exponentially in the last few years. The Department of Justice released a report stating,
Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. There are very effective prevention and response actions that can significantly mitigate the risk posed to your organization.
These increased attacks mean that instead of simply stealing information, cybercriminals recognize the critical value information holds in our society. Organizations with strong compliance programs will be ahead of the attackers by proactively recognizing risks, incorporating protections and updates in advance of attacks, and being less likely to have exploitable areas.
The Internet of Things Drives Infosec Compliance Awareness Needs
As an industry, we know better. As the Internet of Things increases people’s connectedness, it also makes them more vulnerable. It makes them vulnerable in ways they cannot or choose not to understand. With this in mind, the information security industry has started the process of creating audit procedures to promote safety within the realm of business needs. At the end of 2016, Compliance Week noted that IoT internal audits were becoming more important to businesses and provided organizations a list of questions to help promote infosec compliance awareness in the IoT landscape.
The following are key questions to consider in developing audit plans and considering their role for the IoT:
- How is the IoT deployed in our organization today? Who owns the IoT or the respective components of it?
- Consideration of the risks associated with the IoT presence? How have those risks been quantified and controlled?
- Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy, and security implications?
- Do we have contingency plans for Internet-connected “things” that are hijacked or modified for unintended purposes?
- To what extent are third parties utilizing the IoT acting on our behalf? Do we have appropriate process and agreements in place to appropriately monitor those third parties?
- What role does the IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
- What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to full potential?
The majority of these questions focused on data and organizational use. These fall into the traditional C-suite concerns regarding information security. Creating a strong security profile means ensuring compliance proactively not reactively. However, one of the above questions has a greater implication that can affect not just business bottom lines but the health and well being of society as well.
Do we have contingency plans for Internet-connected “things” that are hijacked or modified for unintended purposes?
Protecting IoT Ecosystems Through Effective Infosec Compliance Awareness
The newest ransomware threats will be to the IoT ecosystems. Many experts believe that WannaCry may be a test run for something larger. What could be larger than paralyzing the information systems of more than 200,000 computers in 150 countries? Controlling systems outside of the digital space. A TechCrunch article from October 2016 quotes Neil Cawse, CEO at Geotab, stating,
While traditional ransomware affects your computer and locks your files, IoT ransomware has the opportunity to control systems in the real world, beyond just the computer….In fact, due to the many practical applications of IoT technology, its ransomware can shut down vehicles, turn off power, or even stop production lines. This potential to cause far more damage means that the potential for hackers can charge much more, ultimately making it an appealing market for them to explore.
The ability to control physical systems remotely using ransomware is the type of threat that does not register to the average Amazon Alexa user. IoT compliance means looking at the implications of ransomware attacks and ensuring that the information security community takes the lead on protecting users from themselves and the outside threats. As a peer-driven industry, the information security industry stands at the forefront. With great knowledge comes great responsibility. Now is the time for the industry to further promote infosec compliance awareness as more than a financial bottom line but as a social good.
The Medical Internet of Things Makes Infosec Compliance Awareness a Matter of Life and Death
More importantly, the Medical Internet of Things is also at risk. Incorporating IoT devices into healthcare makes hospitals more efficient and patients healthier. Providers can remotely monitor patient data without needing to bring people in for visits. Sensors on medications can monitor whether people are following the appropriate regimens. Innovation Enterprise recently shared,
At Boston Medical Center, IoT is everyday life. Newborn babies are given wristbands, allowing a wireless network to locate them at any time. They have installed wireless sensors in refrigerators, freezers and laboratories to ensure that blood samples, medications, and other materials are kept at the proper temperatures. The hospital also has more than 600 infusion pumps which are IoT-enabled. BMC staff members can now dispense and change medications automatically through the wireless network, rather than having to physically touch each pump to load it up or make changes.
A ransomware attack targeting these IoT devices can cause blood samples to go bad or stop infusion pumps. The best way to stop these kinds of events is to take precautions to help ensure that they do not occur. Zero day flaws are constant sources of risk. This is where infosec compliance awareness can save lives. Being compliant means incorporating risks into the organization’s profile. This means thinking ahead. Compliance is more than just a business bottom line in many cases. Compliance becomes a social good enacted by those who have the knowledge to help protect people.
Automation Can Promote Infosec Compliance Awareness
Compliance products like ZenGRC do not save lives. They do, however, make the life-saving compliance more manageable. Efficiently sharing multiple compliance programs in a single location allows for more efficient communication between C-suite members, audit, and the Board of Directors. Generally, compliance automation seeks to reduce redundancy and create agile solutions to information security problems. However, all compliance is based on risk. In the case of a zero day flaw, the impact of the flaw being exploited, such as with the UK’s NHS, may create a justifiable reason to incorporate completely redundant systems or processes. Automated tools like ZenGRC create transparency in the information security compliance space that allow organizations to make safer determinations.
WannaCry is the warning bell that ransomware is here to stay. Information security professionals need to lead the way to protect the health and well being not just of information but of people. Not installing those updates may kill someone, someday. Infosec compliance awareness may end up being, literally, life and death.
Where do you see non-financial value in information security compliance awareness? Tell us in the comments!