Last week’s unprecedented “Wanna Cry” ransomware attack affected over 200,000 systems in more than 150 countries, including China, France, India, Japan, Russia, Spain, Taiwan, the United Kingdom, and the United States. European counties were hit the hardest: Germany’s railway system; Spain’s telecom, gas, and electrical companies; and the U.K.’s National Health System (NHS) trusts that were forced to shut down emergency services and cancel surgeries. Luckily U.S. companies were largely spared because the threat was mitigated before they could be significantly affected.
While this was the most massive cybersecurity attack yet, we were spared from a larger catastrophe by a 22 year-old U.K. security researcher, who just happened to be checking his threat-sharing platform from home during a week off work, when he noticed several U.K. organizations being hit simultaneously with ransomware attacks. He and a fellow researcher were able to quickly find a way to significantly slow the malware’s progress, thus avoiding a major catastrophic cyber-event.
Also known as “Wanna Crypt” and “Wanna Decrypt”, the ransomware encrypts a computer’s documents, music, pictures, and all other files, making them inaccessible to the victim. They are then held hostage until the victim pays a ransom of $300 to unlock the files. If ransom is not paid within 3 days, the ransom is increased to $600. Organizations that have routine back-ups of their system can eliminate having to pay the ransom and restore their system, but it still results in system downtime and a lot of time and effort to get the system up and running again. Organizations that do not have back-ups of their system have to pay the ransom or risk losing all their data.
Ransomware is usually introduced into a system by a phishing attack that uses legitimate-looking emails with attachments or web links sent from organizations, such as banks or credit card companies, to lure victims into “updating” their personal information (birthdate, social security number, passwords, etc.). When the attachment or link is clicked, malicious malware or Trojans are introduced into the victim’s system. The “Wanna Cry” attack seems to have come from a web link, which contained the malware. Once clicked, it multiplied very quickly through the use of file sharing software that automatically spread the malware from one system to another. Some phishing scams are easy to identify, but others can be cleverly disguised. (For more information about phishing see a previous newsletter article: “Cybersecurity for Case Managers: Don’t Get Hooked – How to Prevent Being Caught in a “Phishing” Attack”).
One reason this attack was so widespread was due to the fact that many organizations were still using older versions of software, e.g. Microsoft, that are no longer being supported and automatically updated by the developer. So, the systems did not have the most recent cybersecurity updates, which could have prevented the attack. Home computers, using older versions of Microsoft or outdated malware products can also be unprotected if they are not routinely updated. Because of the magnitude of this threat, Microsoft issued a free unprecedented update to older versions of Microsoft that are no longer supported. Check to be sure your Microsoft software and malware products have the most recent updates.
Since more and more of our daily tasks and processes now include the internet, we need to become much more vigilant in looking for and preventing these types of attacks. We cannot get lulled into thinking that the malware on our system or our Information Technology (IT) department will handle all these threats. As you can see from what happened last week, those safeguards were not enough to stop the attack. All it took was for someone to click on a link that contained the malware. And I’m sure you don’t want to be that “someone” who takes down over 200,000 systems!
As we become more and more dependent on the internet and computerized systems, we are becoming more at-risk for major cybersecurity attacks that can cripple our systems. This attack, as well as the increased number of healthcare-related security breaches and the hacking involving the U.S. election campaign are examples of major cybersecurity attacks that could be leading to a major catastrophic event.
As case managers, we must realize that cybersecurity is not just an IT function. Sure, IT does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards. However, every individual is also responsible and accountable for cybersecurity. Each of us need to be a “steward of security”, empowered and accountable to create a culture that is essential in raising awareness and reducing security incidents. (For more information about what each of us can do, see a previous newsletter article “Cybersecurity for Case Managers: Responsibilities of Individual CMs”).
Management staff has an added responsibility of making sure all staff members are routinely provided with cybersecurity training and constantly tested to assure they are cognizant of the threats and know how to avoid them.
To help with those goals, I have included some references that include staff cybersecurity training programs and quizzes that can be used by individual case managers to test their knowledge and awareness and by management staff to quickly develop staff training and testing programs. There are also some tools that can be used by managers or IT departments to assess the level of potential threats in their organization and an open source user interface tool that can be used by IT departments to develop training and testing programs and track program results. I hope you will find these useful.
Cybersecurity Educational Programs
- Phishing Emails – A Field Guide. A marketing website for a malware product, but it has good information for managers about how to recognize, avoid, and stop phishing attacks. The Appendix includes: free phishing tests, anti-spam and email filtering tools, examples of real-life phishing emails to use to test yourself or your employees.
- Email and Social Networking from Microsoft’s Safety and Security Center. Tips on creating strong passwords, protecting your information, and avoiding scams and hoaxes.
- How Cyber-Savvy Are You? from Canada’s Centre for Digital and Media Literacy. Instructional tip sheets, an instructional plan, and a quiz.
- NOVA’s Cybersecurity Lab from Khan Academy. Cybersecurity 101 program, practice quizzes, and glossary.
- Find Out What Percentage of Your Employees are Phish-prone from KnowBe4. This is a marketing website that provides immediate access to a free phishing security test for up to 100 employees.
- Cybersecurity Quizzes and Tests from the Mississippi Department of Information Technology Services. 15 tests to assess knowledge in different areas, e.g. phishing, internet surfing, laptop security, etc.
- Cybersecurity Knowledge Quiz from Pew Research Center. Includes a 10 question quiz that allows users to compare themselves to 1,055 randomly selected adult internet users.
- End User Security Awareness Quiz. A 20 question quiz to be taken after attending a training session or reviewing company policies.
- How to Test the Security Savvy of Your Staff from CIO, an organization servicing CIOs. Provides 4 employee testing approaches to detect potential cybersecurity issues and ways to train employees.
Cybersecurity Management Tools
- Test Your Cybersecurity IQ from Microsoft. Quiz for managers of small to medium sized businesses to assess their cybersecurity knowledge.
- Cybersecurity Quiz – Know Your Threats from PC World. 10 questions to for managers to gauge awareness of cybersecurity dangers.
- GoPhish. A free, open source, user-interface tool for IT departments to use to develop their own phishing training, testing, and tracking of results.