Today Monday, May 15, 2017, it is time to take stock of what we have learned after the tremendous attack suffered by institutions and company last Friday, May 12. The reflections after this intense weekend are not technical, but from common sense, and should help us to avoid or mitigate similar incidents in the future.
Reflections:
- Against SPAM and malware: It is not enough to have a good anti-spam, anti-virus and anti-malware service. It saves us a lot of threats, but we can’t be 100% calm.
- Against the technique called “social engineering”: The human factor, because of its unpredictability, is always the weak link in the chain. Training and awareness-raising help to reduce risks, but we cannot remain 100% relaxed.
- Against software vulnerabilities: Follow the manufacturer’s recommended software update plan. There is no perfect application, and it makes sense: there are many situations not foreseen in its use, and that causes bugs and security issues. Therefore, a good policy of patching and of course, proper licensing and maintenance, are necessary for the best protection, but we cannot remain 100% confident.
- Against ransom requests: Paying a ransom does not guarantee either the return of the information or that they will not attack you again.
- Against Data Loss: The ultimatelifeboat is backups. And for this, it is better to have a good outsourced backup plan. We stronglyrecommend reviewing and updating backup policies, making periodic tests of its proper functioning. But we can’t stay 100% calm either…
This attack, while mediated for its wide-without affectation, has not been earlier attack in history, nor will it be the last. Nor has it been the most important or the most harmful. He’s been one more of the many that will follow. Thus, most importantly, it is to develop a good plan of safety and recovery of disasters. And that plan should include clear communication guidelines to our customers, so that it doesn’t affect the company’s image. Because what’s certain is that one day, some attack will affect us in the first person. The question is not when. It is to be prepared for it, and to know how to react as intended.