The State of the Channel One Year Post-WannaCry
The WannaCry attack in May 2017 captured the world’s attention. One single strain of ransomware, delivered by a self-replicating worm infected 300,000 devices in 150 countries. Thousands of organizations were caught off-guard, with industry experts estimating the damages in the billions of dollars. So, what’s changed since then?
The attack had a high impact and a global footprint. The attack exploited an already patched vulnerability in Windows, so the majority of devices impacted were running on unpatched, unsupported or outdated operating systems. This exemplifies an unfortunate reality for the channel: many organizations still fail to follow basic IT security best practices such as patch management and upgrading software.
Our recent State of the Channel Ransomware Report surveyed over 1,700 MSPs and found that the threat of ransomware continues to adapt, with the overwhelming consensus being it’s not ‘if’, but ‘when’ clients will be attacked by ransomware. The breadth and diversity of ransomware today is mind-boggling, with new strains constantly under development, often leveraging unpatched ‘zero-day’ exploits and other methods to avoid detection until it’s too late.
Attack methodologies are also shifting towards considered and premeditated targeting of high-payoff individuals using social engineering, instead of targeting a wider audience. Compromising system administrators and other employees with elevated access greatly increases the likelihood of critical (and valuable) business systems being infected and held ransom. This continued evolution and adaptation of both virus and attack vector necessitates a renewed, and truly comprehensive, approach to manage the risks effectively.
What Does this Mean for the Channel?
Deploying point solutions helps, but it is not enough. Patch management, antivirus, and some user training certainly lower the risks, but an approach should utilize both proactive and reactive measures, along with a plan that the MSP can spring into action when an attack occurs.
Proactive measures need to be broad in scope, covering the human element along with software/hardware management. Robust user training and phishing tests, patch management, antivirus, network monitoring, and effective use of access controls and group-based permissions in file sharing can work effectively, but will never eliminate the threat — security is never 100% guaranteed.
Businesses also need reactive measures with appropriate objectives. The objective should not simply be to recover data, but to also mimimize the impact of an attack on productivity. An MSP that has sufficient business continuity plans for their minimize, encompassing effective use of business continuity and disaster recovery solutions covering all endpoints — including laptops along with servers — alongside all the proactive methods mentioned above, puts businesses in the best position possible to minimize downtime and carry on working even when an attack occurs.