Cyberattacks on UK Businesses: What Have Been the Results of WannaCry?

What Should Boards Do to Prevent Future Attacks?

Countries Suffering the Worst Damage from WannaCry:

  1. United Kingdom
  2. United States of America
  3. Russia
  4. China
  5. Spain

The so-called “WannaCry” attack has brought attention to bear on the role of directors in cyberattacks. Because UK business suffers more cyberattacks than any other country, it is essential that a board-level strategy be developed to prevent damages. Board members are already being held liable individually for failure to take adequate measures. Directors must see that threat protection is in place, and that it is kept up-to-date. For the board’s own operations, a board portal with extensive security and protective measures is part of a valid response.

The so-called “WannaCry” ransomware attack that, in the UK, began on May 14 has brought the issue of cybersecurity to the fore in that country. Even in companies that did not suffer direct damage, directors now could not escape taking further action to prevent such breaches. This need for action at the highest level in organisations has been reinforced by the fact that other ransomware attacks followed the WannaCry wave shortly thereafter.

Analysis of the threat data by IT security firm Malwarebytes revealed that the UK’s businesses are clearly viewed as tempting targets by cybercriminals, due to the extensive use of legacy equipment at the country’s companies, even in the cash-rich tech, fintech and financial services sectors.

This helps to explain why the greatest losses were seen in the UK, where not only were 40 UK hospitals paralysed, but thousands of businesses were unable to operate. This is remarkable, because a simple patch made available by Microsoft well before the WannaCry attack defends against the ransomware.

According to Europol, the attack has impacted over 10,000 organisations and 400,000 computers in over 150 countries, and was responsible in total for $4 billion worth of damage.

Only a fraction of that sum was paid in ‘ransom,’ or about $100,000, while much vaster sums were lost in terms of lost production and worktime.

Directors must take responsibility

For Europol Director Rob Wainright, it’s clear that the responsibility for preventing attacks like WannaCry falls on the shoulders of the board of directors.

He calls for action at the board level: “Protection from ransomware threats does not require spending a lot of money, it requires recognition at the board level that action must be taken, including putting the right security in place and keeping it up-to-date. This is about taking executive responsibility.”

Governance expert Joshua Gold of the law firm Anderson Kill says: “Gone are the days when senior management could simply task the head of information technology to address whatever cyber issues were deemed most important. Officers and directors are now expected to involve themselves directly in securing company systems and data. If they fail, they are likely to face enforcement action as well as shareholder ire.

In the UK, there have already been a number of lawsuits against individual directors claiming failure to have taken preventative action after cyberattacks caused damages.

To defend against such litigation, it will be critical for the board of a company to be able to demonstrate both that systems have been developed to minimise the risk of susceptibility to a cyberattack and a plan for dealing with one should it occur. It will be equally critical to show that those systems have been properly implemented and stress-tested, and that employees are aware and compliant in practice.

“If not, claims may be brought against directors and officers, as we have seen with the recent major breaches in the US, and as is now starting to happen in the UK,” warns James Jarvis, corporate governance analyst at the UK Institute of Directors in London.

What steps Directors should take

Jarvis said that the first step for directors is to place “tech-savvy” people on the board. With the General Data Protection Regulation ((Regulation (EU) 2016/679) soon to become law in the UK and Europe, having a Data Protection Officer on the board will become mandatory for larger companies – this person may well also be suited for developing a preventative strategy against breaches.

“The tech team can deal with the specific issues that arise, but the strategy guiding them falls to the board,” Jarvis points out. Responsibility for such a strategy should be divided between the risk committee and the audit committee.

Boards should also oversee an inventory of all data that is stored by the organisation – what kind of data, where it comes from, and where it is being kept. Data and documents in use by the board of directors should, of course, be subject to special treatment, under protection by a board portal like Diligent’s, which encrypts information to allow for secure access on a variety of devices.

Board portals enable administrators to control access to critical documents and data by individual board members and executives, thus preventing unauthorised users from viewing or sharing board-related materials. Should a cyberattack like WannaCry occur, organisations using board portals have the ability to remotely remove materials from ransomware-controlled computers without having to pay a ransom. This increases their ability to control both the storage and the flow of information, along with the likelihood that their data will remain safe.

Boards should also scrutinise the results of cyberattack scenarios and develop a plan based on the results of such predictions. Every business should consider what its worst-case cyber event would look like, and how that sequence of events would be handled. What corporate governance structures would kick in — and are there ways to escalate problems directly to the CEO? Does the legal department have the right kind of relationship with the IT staff so that the lawyers can understand what’s going on? Companies should also consider — in advance — what their policy should be for notifying law enforcement — notification of breaches becomes obligatory under GDPR.

Featured Blog