If ransomware hasn’t gotten your attention yet, then the WannaCry ransomware cryptoworm that ravaged the world for a week in mid-May
should make you sit up. The attacks were so devastating to many organizations—from major hospitals to important financial institutions—that ransomware is now mainstream news and the talk of federal and state legislators.
WannaCry 101: Getting You Up to Speed
You may have seen a lot of headlines and articles about WannaCry, but here are the basics to get you caught up.
- WannaCry is the name of a specific “ransomware cryptoworm.” Ransomware is a type of virus that encrypts your files and documents. The criminal then asks for a ransom within a specific time period (such as 72 hours). If you pay, then they (may) decrypt your files. If you don’t, you permanently lose access to those files. A cryptoworm is a self-replicating virus that encrypts files—meaning that once the virus in inside your IT systems, it can infect other machines without any city employee doing anything.
- WannaCry originated from a leak of National Security Agency (NSA) data that indicated a security vulnerability in Microsoft Windows operating systems. Hackers stole this information from the NSA and used it to create the ransomware cryptoworm.
- WannaCry had its biggest impact from May 12-19, 2017 when it affected about 230,000 computers across 150 countries.
Why Your City May Be in Serious Danger from a Future Ransomware Attack
While the media outlined the sophistication and wide reach of this attack, it mostly hit organizations that did not follow three important technology best practices.
This is important for cities to realize: It’s likely that your city has a good chance of experiencing a devastating ransomware attack that leads to permanent data loss if you don’t follow the three best practices below.
1. Failing to regularly patch your software
Microsoft released a Windows security patch in March 2017 that prevented WannaCry from affecting an organization. According to CNN
, “The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn't updated their systems were still at risk.”
Yet, so many organizations—including cities—do not patch their software on a regular basis. Excuses are plentiful. City staff have too much on their plates. Reactive IT vendors do not get paid to do proactive IT maintenance. Nothing appears broken, so why fix it? It’s not a priority. Et cetera.
But when you don’t regularly patch, you miss out on security updates. Software vendors plug holes that hackers can exploit. When you don’t apply patches, it’s like leaving a back door open in your house. Organizations that did not apply the March 2017 Microsoft patch left this back door wide open.
2. Failing to update your operating system
WannaCry devastated organizations using outdated, unsupported operating systems such as Windows XP, Windows Server 2003, and Windows 7. A newer operating system like Windows 10 wasn’t affected by WannaCry at all.
If your city is running an outdated Windows operating system, consider that:
The older an operating system becomes, the more security issues it will have and there is less of a chance that Microsoft will provide security patching. Many organizations—including cities—stick with older operating systems because of poor practice, older software that’s only compatible with older operating systems, and an unwillingness to budget for the upgrade of operating systems.
Think of your operating system like a car. If Microsoft has stopped supporting it, it’s like driving a car that no professional will officially or possibly be able to repair anymore. You’re essentially just stitching it together with band-aids and waiting for it to break down, at any time.
3. Failing to modernize your technology and get rid of legacy systems
This issue has become so prevalent across federal, state, and local government that proposed legislation such as the Modernizing Government Technology (MGT) Act
specifically addresses IT modernization. In 2017, there is no longer a “nice-to-have” argument about modernizing technology. Instead, modernized technology and cybersecurity are increasingly seen as one and the same thing. The recent WannaCry attacks are now referenced by legislators pushing IT modernization bills—and they see it as both a national security and citizen privacy/protection issue.
For cities, it will become more and more negligent to cling onto old legacy hardware and software that uses obsolete, unsupported, and unsecure technology. While budget is always a concern, the costs of a cyberattack—financially, legally, and politically—can be far worse. States such as Arkansas
have even passed laws threatening to revoke a city’s charter if they don’t comply with the law through using appropriate, secure technology.
While the WannaCry attacks might look scary, they really only affected organizations that failed to implement basic IT best practices such as patching, using fully supported Windows operating systems, and keeping their technology modernized.