By now you’ve probably read at least a dozen different stories on how the WannaCry incident is principally a failure of IT systems and processes. While that is likely true, for me it also exposes some important opportunities for us to improve the ways in which we train or people to understand and react to such risks – how we are failing to embed good security deep in the culture of our organisations. It also raises for me some broader questions on the cultural impact of such incidents across society.
Let me explain.
Awareness Not Transforming into the Right Behaviour
WannaCry will, without doubt, be used, by the security industry, as a reminder of the potential impact of a security incident and a repose to any push back, against investment, when people say “just how likely is this to happen?” The widely acknowledged analysis, so far, suggests that the vulnerability, which was exploited to such a damning effect, was known about and that a patch had been available to mitigate the risk. Despite this many organisations knowingly chose to delay implementing the patch, or at the very least, delayed the decision to patch their systems. Will WannaCry shine a light on the effectiveness of how security professionals make stakeholders aware of risks so that better, and more timely decisions can be made?
An Inherent Understanding of Risk
I understand that the “accidental hero” who registered a domain name which brought the initial spread of the ransomware to an end has, against their will, had their name and other personal details, including their address, published by several media outlets. For me this this highlights a cultural clash between the needs of the media organisation and the privacy of, in this case, the accidental hero and also questions about the media outlets own levels of awareness of what information security and privacy is really about.
Effective Communication of Risk within an Organisation
Many have assumed that the right people within the organisations affected had been made aware of the risks that the vulnerabilities to the software could bring about. However I’ve been left wondering how effective the communication was if the desired outcome wasn’t achieved. If the communication was effective then why didn’t they authorise the investment needed to manage the risk? Many will consider whether the concept of risk management was, in anyway, to blame here. Would a known vulnerability, but with no known threat (exploit) in the public domain, be an unacceptable risk when compared to an organisation’s documented risk appetite? In my experience many would accept this risk until there was evidence of the vulnerability being exploited or very likely to be exploited.
Reading through posts on LinkedIn, and elsewhere, I do wonder whether those organisations affected had actually performed an effective risk assessment. By effective, I mean a risk assessment which, identifies clearly, the impact to an organisation’s operations, clients/users and regulatory obligations from a potential breach of security. In theory none of this should have been unexpected if an effective risk assessment had been conducted. But I get a sense that many were unaware of the ramifications of their decisions or lack of decisiveness with regards the vulnerability.
For those who have unfortunately been caught up in the WannaCry incident the silver lining is that the pain associated with such an incident will live far longer than the benefit most stakeholders feel when they approve investment in security. This is called “loss aversion”. This may help stakeholders to sharply remember what happens when things go wrong next time investment is requested for information security.
Embedding Security in Organisational Culture
In terms of culture I think there are a couple of aspects worth considering.
First, there is the impact on organisational culture within those organisations where WannaCry has had a direct effect. Stories, myths and legends play an important part in culture. How will the WannaCry incident be remembered and retold? Will it be remembered and re-told at all? Will its lessons be embedded in the culture of the organisation going forward?
Second, there is the effect on organisational attitudes where WannaCry didn’t have a direct impact. Awareness levels will peak, there will be a flurry of activity, but then, there’s evidence to suggest, this will fade away. How will the appropriate stakeholders respond in these organisations towards the widespread event, even if it didn’t affect them directly? Will they remain quiet or will they see this as an opportunity to reconfirm the importance of security to the organisation’s values?
Third, there is the impact on broader societal attitude towards information security and what they expect of others, who are custodians of our data. Will society respond, to this heightened level of awareness by becoming comfortable with this type of incident? Will people see this as “the norm” or a culturally acceptable risk, in our digitally connected world? Will society question the contract that exists between people and the custodians of their data? Will people seek out greater assurances or challenge what they are told?
The Role, Attitude and Culture of the Security Services
The incident also raises awareness, for me, of the danger of stockpiling unknown vulnerabilities and digital tools, by intelligence agencies and other organisations which exploit known and unknown vulnerabilities. Especially once used in “the wild” these exploits can be hijacked and turned against those they were deployed to protect. In such instances what is the state’s obligation with regard to raising awareness across society that a security breach has happened?
Turning Theory into Practice
This is one of those occasions where we all have a duty to learn the lessons from this serious security incident and embed them fully in the on-going culture of our organisations. Exactly how to do this is something I’ve spent the last few years researching and have managed to distil down into a concise methodology for security professionals. To find out more about this, please follow this link to the find out about our 2017 workshops, or, if clicking on links seems a little too risky right now(!), just visit our training page for more information.
