×

The ‘WannaCry’ ransomware attack could have been prevented. Here’s what businesses need to know

On Friday, the world was hit by a massive cyberattack, the effects of which are continuing to spread as of this writing.

A piece of ransomware known as "WannaCry" paralyzed businesses, government entities, and Britain's National Health Service, encrypting computer files on infected machines unless the owner paid a $300 ransom. All told, more than 300,000 computers have been knocked offline in an attack that has wound its way through nearly every country on Earth.

The attack exposed major shortcomings in the approach of governments as well as businesses around the world to cybersecurity. And it shows just how inadequate our existing approach to cybersecurity is in the face of the widespread availability of software exploits and the increasing prevalence of malicious actors online.

Britain's National Health Service was hit hard because the cash-strapped hospital system did not upgrade to the most recent versions of the Windows operating system — an outdated system Microsoft long ago stopped supporting.

The malware's spread was slowed Friday in part because Microsoft took the rare step of offering an emergency patch to the old Windows XP systems (something that typically does not happen with unsupported software)—and in part because a 22-year-old cybersecurity researcher who calls himself MalwareTech discovered and activated what appears to have been a "kill switch" buried in the malware code. Companies can't count on these types of developments to constrain the next attack.

Like so much of the malicious activity on the internet, the attack took advantage of known vulnerabilities. Back in March, Microsoft had, in fact, pushed out a patch to the vulnerability that the WannaCry ransomware was able to exploit. The problem was that many businesses and institutions hadn't applied the patch — and on a broader level many institutions consistently lag behind in updating their software or continue to use older operating systems that aren't supported by new security updates.

While no set of defenses can be guaranteed to withstand a sustained attack from a sophisticated attacker, they can still go a long ways toward reducing and mitigating risk: According to the Department of Homeland Security, as many as 85% of targeted cyberattacks are preventable through these basic risk-mitigation measures.

So what can businesses do right now?

First, every business should examine what it is doing to protect against phishing attacks (i.e., e-mails from bad guys with malware attached, where clicking introduces the threat to the system). Warning and educating employees about these threats is obviously a good idea — but a more effective tactic is to run a "red team" type test by sending fake phishing emails out to employees and seeing how many people fall for them. Companies can then follow up with better training after they've accurately diagnosed the extent of their vulnerability.

Second, as the WannaCry attack clearly shows, it's imperative for businesses to make sure they are constantly updating their software and installing appropriate security patches. That also means keeping current with the latest operating systems; oftentimes, a patch might only work with the most current system, leaving older ones in a state of ever-worsening security limbo (as has been the case with Windows XP).

And the ransomware attack carries another important, related lesson: The patch that Microsoft had pushed out in March did not have a large red sign next to it that said, "URGENT Patch Needed To Prevent Against Devastating Ransomware Attack." The update was offered quietly without a further description. Whatever the reason for this (and perhaps it was because Microsoft didn't want to alarm users or call attention to the vulnerability), the fact remains that you may not know until it is too late whether an update is a critical cybersecurity measure or whether it just adds some new feature or fixes an obscure bug in the software.

Third and maybe most critically, companies should game out these cyber scenarios and have a plan in place for how to handle them. Every business (whether in the tech sector or not) should consider what its worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in — and are there ways to elevate problems directly to the CEO? Does the legal department have the right kind of relationship with the IT people so that the lawyers can understand what's going on? Companies should also consider — in advance — what their policy should be for notifying law enforcement. And, in the event of a ransomware attack, they should consider whether they would heed the FBI's advice not to pay in all cases or would be willing to take some other approach if their business depended on it.

These decisions are complicated, and there is probably no one-size-fits-all set of answers. The legal fallout can also be sprawling — ranging from possible consumer-privacy litigation, to shareholder suits, to cooperating in criminal investigations. The ramifications can even include being drawn into an international incident with a foreign adversary, as was shown by the Sony hack in 2014 — and as current reporting is suggesting may be the case here. A business that falls victim to an attack also likely won't know who is behind the attack for some time, and so will be forced to make these decisions with imperfect information about whether it is dealing with ordinary crooks, a hostile nation-state, a terrorist organization, or some combination of these actors working in concert.

Planning for these scenarios and putting safety measures in place may sound expensive and onerous. But as the past weekend has shown, the cost of not preparing for them can be far higher. And unfortunately, businesses cannot count on governments to do this work for them. While federal agencies continue to assess their own vulnerabilities, the private sector must harness its own abilities to adapt and innovate in order to be better prepared for the next attack.

Commentary by John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice's National Security Division (NSD). He currently chairs Morrison & Foerster's global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute's Cybersecurity & Technology Program.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.