A few preventative measures can ensure safety from WannaCry ransomware and other attacks.
The recent WannaCry ransomware attack affected over 300,000 computers in more than 150 countries. Attacks like this are not new; in the late 90s and early 2000s, similar ‘worms’ went by the names of Code Red, NIMDA and SQL Slammer. These worms, like WannaCry, spread rapidly because human intervention isn’t needed to activate them.
However, unlike the historical attacks, WannaCry was launched by criminal actors with financial motive, demanding owners of infected machines pay a ransom to restore access. Fascinatingly, those behind WannaCry supported communications in multiple languages and even had customer support. After all, how many small business owners know how to obtain and transfer $300 in Bitcoin?
Ransomware strikes on businesses increased three-fold from January-September 2016: the difference between an attack every 2 minutes and one every 40 seconds. CEOs have reacted by increasing information security spending dramatically since 1998. In 2016, businesses spent $73.6 billion on cyber solutions. Yet, we keep falling victim to the same pitfalls that hurt us. Why?
First, there are so many information security solutions on the market that businesses don’t know how to prioritize. Obtaining the maximum information security benefit for each dollar of budget spent remains a problem. Often, budget is spent on products that address extremely specific risk scenarios that do not represent where an organization’s risks actually lie.
Secondly, security professionals are struggling to keep pace with the technology and with the bad guys. The tools and techniques used by the bad guys are evolving very quickly; any static defense will be quickly overwhelmed. WannaCry is allegedly rooted in a nation-state developed technology that was leaked only a few months ago.
Lastly is the conundrum of how to recruit and train the highly-specialized workforce required to defend our networks. Labor shortages and the resulting wage and talent wars in the information security space are a pain point for businesses.
One way CEOs can get ahead of the threat is by practicing what we call Collaborative Security. Collaborative Security focuses on information security strategies and programs that are practical, outcome-based, measurable, and foster a sense of collective responsibility. As attackers use common techniques to attack multiple targets, defenders working together effectively will have a higher level of defense than those going it alone.
Practitioners of Collaborative Security are informed by the threats they face, and invest in defenses effective against the tactics being used against them. They deploy security solutions with purpose, not out of fear or uncertainty. They have an up-to-date inventory of valuable assets and data, identify and protect the highest risk assets, and never spend more mitigating a risk than tolerating it will cost.
Defenders work together to gain advantage. Fostering a sense of collective responsibility, practitioners of Collaborative Security understand that their own security is a function of the security of many known and unknown partners – and the Internet as a whole—and actively contribute to the shared security, stability and resiliency by sharing information, expertise and maintaining their own security.
Companies that practice cybersecurity alone will continue to lose the battle.
Jeff Schmidt is the vice president, chief cybersecurity innovator at the Columbus Collaboratory, a rapid innovation firm founded by seven leading companies that delivers business value through advanced analytics and cybersecurity solutions.
 Kaspersky Security Bulletin 2016. https://securelist.com/analysis/kaspersky-security-bulletin/76757/kaspersky-security-bulletin-2016-story-of-the-year/
 Computer Security Institute. Computer Security Issues and Trends 2000. http://www.techrepublic.com/article/cybercrime-is-on-the-rise/
 IDC WorldWide Semiannual Security Spending Guide. http://www.idc.com/getdoc.jsp?containerId=prUS41851116