What Can We Learn from WannaCry? A Lesson in Incident-Response Plans and Security First

Cybersecurity doesn’t get top billing in most organizations. Sure, everyone knows that security is a necessity for legal compliance and basic risk management. But all too often, implementing it is a one-and-done affair or — even worse — an afterthought. The WannaCry ransomware attack, which affected more than 200,000 computers in 150+ countries after Windows software exploits were stolen from the NSA, is a jarring reminder: Security has to come first in everything that you do.

That might seem like hyperbole, but it’s the truth. After all, customers are beginning to think of security when they’re shopping for software, so you should put security first when building and maintaining your products. Having a security-first mindset safeguards your company, of course, but it also gives you a competitive advantage over those who downplay the risks.

While being a security-first company will bring you as close as possible to actually being secure, the fact is that you may still get hacked. So, what’s a savvy business to do?

Build complete plans

Effective incident-response plans cover both common scenarios and edge cases. They are living documents that evolve over time as new threats emerge and best practices improve. You want to be prepared so that you’re not cobbling together a plan in a time of panic. Your communications strategy should include specific actions, quantifiable data and steps being taken to prevent similar incidents in the future.

Practice makes perfect

Many organizations’ remediation plans are superficial documents created to meet legal requirements. When an incident occurs, such organizations often fail to address it — or their own customers — because the plans haven’t been drilled ahead of time. Preparation is key.

To make the practice as real as possible, you might hire a white-hat hacker to breach a replicated environment. Schedule full-day company drills and carry out incident simulations at all times of day. Prepare your support and engineering teams to tackle an unprecedented flood of support tickets and assign severity levels. Act out emergency contact plans to connect key players — CEO, CTO, developers, etc. — live for high-severity incidents/breaches. Customer success, sales, marketing, HR, and finance play important roles in internal and external communications, as well.

Respond effectively

An important part of your response plan is knowing which sources of information to rely on. Early media reports indicated that WannaCry was being spread via email, but this was incorrect. Some organizations took counterproductive actions based on those early reports — in one case disrupting business unnecessarily by shutting down email completely in an attempt to stop the spread of the attack. Having a robust source of real-time threat intelligence could have helped organizations take better mitigation steps rather than relying on media reports.

Yahoo! and Target are also examples (2016 and 2014, respectively) of poor incident-response planning. In both cases the companies had long plans hammered out by lawyers. (Target’s monitoring system even issued warnings before the customer data was stolen.) Yet in both cases, their incident response and remediation were poor, and customers did not feel adequately reassured.

For startups and growth-stage companies it’s even more critical to handle a breach in a way that satisfies customers. Because young companies haven’t spent as much time building customer trust as larger organizations have, breaches are more likely to be catastrophic failures for them.

In your communications, don’t simply assure customers that you did everything you could and that you’ll do better in the future. Instead, use the opportunity to accelerate your security roadmap and hiring, and to adopt a broader security-first stance.

Conduct a root-cause analysis

After a security incident, it’s important to analyze what went wrong. Look at the source of the incident as well as technology and process gaps. Where did the threat model fail, how high was security awareness across the team, and were adequate resources allocated to mitigate threat?

Reprioritize security

While it’s always best to prioritize security functionality in product roadmaps before a breach, part of your post-breach remediation plan should be to revisit priorities.

JPMorgan Chase provides a good example: It experienced a large-scale breach in 2014 that led to the loss of over 75 million customer records. However, the company doubled down on security spending post-breach, increasing it to $500 million. The follow-on effect was acceleration of security investments at Citigroup and Bank of America. The trend isn’t just for financial organizations; Gartner predicts that “60 percent of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10 percent in 2014.”

The final word

It may be impossible to make customers truly happy after a security incident, but if you acknowledge that you screwed up and compensate them fairly, their annoyance will fade and they’ll maintain their trust in your organization.

When you keep these  key considerations in mind — build complete incident-response plans, practice them regularly, respond well to breaches, identify their root causes, subsequently focus even more deeply on security, and adequately compensate your customers — you’re well on your way to going beyond security table stakes and building a security-first organization.

For much more on security first, check out these resources:

View: The 10 Principles of Security First SlideShare
Listen: A Deep Dive into Security First Podcast