Organisations Haven't Made Security Improvements since WannaCry

The WannaCry and Petya attacks caused disruption on a colossal scale, affecting businesses around the world.  In theory, the cost of damage in trade and reputation should have sounded alarm bells and jolted businesses into tightening their security systems to mitigate against such attacks in the future. But has it done this in practice?

Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations, conducted a survey to found out how confident security professionals were that organisations had made appropriate security improvements since the WannaCry and Petya attacks.

Unfortunately, over two thirds (68 percent) of respondents did not feel confident that enterprises overall have made the necessary improvements to better protect against cyber attacks, in spite of this year’s major global attacks. This lack of confidence could be down to a lack of action from organisations implementing practicing critical security controls.

It was found that nearly a third (28 percent) of security experts felt the biggest issue for a business is not knowing what devices are on the network. This was followed by concerns on how organisations manage vulnerabilities (14 percent), manage administrative privileges (6 percent) and pay attention to audit logs (6 percent).

Still, the majority (40 percent) believed there was not one root problem and that organisations were failing at all the above.

Tim Erlin, VP at Tripwire, said: “No matter how big or small your organisation is, you have to have a serious attitude towards security. If you were lucky enough not to have been effected by WannaCry or Petya take it as a sign. Remember, you don’t have nine lives. All it takes is one data breach or another WannaCry and your company has lost data, money, credibility and most importantly, customer trust, which is one of the most difficult things to recover.

“Adopting best practises and leveraging critical security controls will continue to be the best bet for defending against advanced adversaries and can help close the gap within a business’s security infrastructure. There is research that supports the claim that the vast majority of attacks are due to known vulnerabilities and most of these breaches occur from exploits that have been left unpatched.

"It is important to understand that good security hygiene will greatly reduce the effectiveness of an attack and goes a long way to making the attackers job more difficult.”

On the plus side, the overwhelming majority (84 percent) of security professionals said that their organisation is making appropriate investments in mitigating its cybersecurity risks. When you consider the severity of the average cost of a global cyber attack, it’s a welcome sign to see enterprises budgeting for cyber defences.

“It’s good to see businesses investing in security defences. However, it’s about purchasing the right technology that’s suited to that company and to understand that technology it not the only solution. Enterprises need to remember to focus on the fundamentals of security.

"One of the most important tools, and probably the one that gets overlooked is education. Malware attacks often rely on social engineering and playing on the weakness of human nature. The recent malware attacks are perfect examples of where a sound, consistent education programme could have either prevented or reduced the impact of the attack.”

Also Read

Stay in the know with our newsletter