On May 14, 2017, Brad Smith, president and chief legal officer of Microsoft, posted a Microsoft blog including “Lessons from last week’s cyberattack”. His message and warnings referred to the previous Friday’s “WannaCrypt” ransomware attack, which quickly spread globally from its origination points in Spain and the United Kingdom. Smith detailed his version of the events:
The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.
Bruce Schneier of Foreign Affairs had a slightly different take, finding “plenty of blame to go around.” Of course, the most blame goes to the bad guys who wrote the ransomware software blocking legitimate users’ access to their own systems. The victims were given the option to solve the problem and regain access by paying a “fee” to the criminals. Alas, some of the blame must also go to the victim users themselves who failed to install a Windows security patch designed to prevent an attack of this sort. Some of the blame must go to Microsoft, which, after all, wrote an inadequately secured code to begin with. And then there are the behind-the-scenes players “the Shadow Brokers, a group of hackers with links to Russia who ‘stole and published the National Security Agency attack tools that included the exploit code used in the ransom ware’.” And then, long before any of this happened, there was the NSA, “which found the vulnerability years ago and decided to exploit it rather than disclose it.”
How This Affects Board Members
The question we are asking is, “What are the vulnerabilities Board members may encounter in using Microsoft products, and what can they do about it?” Brad Smith both acknowledges the vulnerability and offers at least a partial solution. Smith cites the attack as evidence of “the degree to which cybersecurity has become a shared responsibility between tech companies and customers.” He points to the fact that many hacked computers “remained vulnerable two months after the release of a patch” because the users failed to install the fix in a timely manner.
There is also the fact that the use of certain dated Microsoft products no longer have any patch fix at all. The Internet is full of articles and posts alerting users of outdated Microsoft products no longer able to block hackers or to be fixed with a patch. Smith explains that “as cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.” Julian Prokaza makes the same point: “All software has a ‘lifecycle’. It gets developed, released, updated and eventually abandoned — usually after a new version or two has been released in the meantime. There’s nothing to stop you using software that’s been dropped by its developer in this way, but with no further updates or bug fixes in prospect, you face an uncertain future if something goes wrong with it.”
Yes, Boards are vulnerable to Microsoft products, and to many other outdated IT products as well. The reasons cited above are clear, and while there can never be a guarantee that one won’t be the subject of an attack, regular system updates and timely patches will go a long way to prevent it. However, if it’s that simple, then why aren’t we all a lot less vulnerable?
Shawn Henry brings us back to the most important basic point: “Neglecting to understand” your network, which is the only means to assure a proper update process for your network. There is a consistent failure to understand the architecture of your network at the highest levels.
What Can Board Members Do
Perhaps more importantly, Board and C-suite members need to lead this process. This starts with Board and C-suite ownership and reporting, training and general management practices that assure that the strongest protocols are in place to ensure that all software is updated in a timely manner. As Henry puts it, “The organization must know where its critical data is, how big the network is, where the egress points are and how the network is segmented. A lack of understanding of the basic network principles and standard ‘network hygiene’ puts the company at unnecessary risk. Have a sense of urgency and get it done.”
Coupled with this is the recommendation that board members use products that have up to date security to ensure that malicious attacks are deterred. This means using a secure messaging application and a robust board portal so that sensitive materials are not shared by email, which is a highly vulnerable medium especially with more robust phishing schemes. Board portals like BoardEffect’s can protect your board and ensure that the materials most important to your organization are safe and secure.