Indian Corporates – Do you WannaCry or Be Ready

On Friday, May 12 something which might sound like Justin Bieber’s new soundtrack started mayhem across the world. A new ransomware called ‘Wannacry,’ began spreading on Windows based computing systems. Once executed, the malicious program encrypts the user’s files whilst self-replicating to other vulnerable machines on the same network. The infection is touted to spread across 150 countries and Lakhs of machines worldwide. Almost 50,000 attack attempts were detected solely in IndiaInitial reactions from unaffected may range from ‘we don’t care’ to ‘See this kind of things do happen in the world’. Whatever the reaction may be, there is a pressing need for organisations and individuals alike to reconsider their preparedness as the attacks keep on evolving and increase the reach.

As is the case with a natural disaster, right after they strike, insurance Companies see manifold increase in new cases seeking insurance from such natural disaster. Likewise, there is a sudden spurt in demand for anti-malware subscriptions. However, in most of cases it is just a spike since we as humans are habituated to find our comfort zones and in no time after the disaster fades from our memories, we choose to slip back in to them.

While this may spell windfall for cybersecurity and other services firms but it brings a more pertinent question to the fore ‘If this is something new that corporates are not aware of?’. The answer would be ‘No’ as ransomware is already a $ 1 bn industry (by FBI estimates) and has been bugging corporates for more than half a decade now. This new outbreak of “WannaCry” has caught much of media attention considering the mammoth scale which lead to simultaneous attack on computer systems across the world.

In the wake of the WannaCry attack, the Indian government’s Computer Emergency Response Team (CERT-In)  issued a public advisory and declared a critical alert . The Ministry of Information Technology (MeitY) advised the key stakeholders such as the Reserve Bank of India, National Payments Corporation of India, National Informatics Centre and Unique Identification Authority of India, to protect their systems against WannaCry and ensure protection of the digital payments ecosystem in the country. The Reserve Bank, in turn, directed banks to shut down their ATM networks until the machines received the Windows patch. Most of these machines were running Windows XP which is no more patch supported by Microsoft and could have resulted in a huge mayhem if specific patches were not released by Microsoft in time on prior input of possible leak.

So what can one do to thwart such attacks and be prepared? – There is no single pill to be taken for that. IT/Cybersecurity calls for a constant effort in making an organization ready to deal with attacks. However mostly the efforts would fall under following major categories:

  1. Assessment and upgradation of IT hardware and software
  2. Sprucing up Back up management
  3. Disaster management and recovery plan
  4. Testing all of above for effectiveness in case of a real threat
  5. Conducting regular system/risk audits for vulnerability assessments
  6. Last but not the least, a culture of security needs to be imbibed in the employees through training and mock runs

And why should an organization put money and resources into sprucing up the IT systems and security?  – In today’s connected world where all our information and details are available online (secured/unsecured), data is the new money. Any restriction in accessing the data can be equaled to restricting someone from using their money and any unauthorized usage of such data is as good as theft or forgery.

It is pertinent to have a strong control system including a strong IT policy in place to protect the organization and customer data. Data loss/theft may convert in to a huge reputation risk for the organization and may lead to heads rolling and customers leaving the Company as it happened in case of Sony Corp, Target and many other cyber-attack cases with corporates. Depending on the data at risk, organisations may also have to face fund crunch owing to ransom demands which may need to be paid.

Keeping in view the stakes, there really is no excuse for a lack of preparedness. The businesses have to stop acting on a reactive basis. On the other hand, Government needs to amend the Information Technology Act and make it more specific and give it more teeth in order to chalk out the roles and responsibilities, accountability and liabilities intermediaries like corporate agencies in case of such offences. There also is an absolute need for international cooperation to detect, investigate and prosecute the attackers at par with terrorist organizations on a global level. It is time for India to enact its cyber security legislation which can provide clearer insight on the roles, responsibilities and liabilities of the stakeholders as such cases of ransomware do not get completely covered by the present legislations like Information Technology Act nor the Indian Penal Code.