The Impact of NotPetya and WannaCry

Another wake up call

Every time there is a major security incident many people claim it to be the “wake up call” the incident has needed. Surely, it stands to reason that if a big enough incident occurs, people will stand up, take notice, and take the necessary steps needed to make sure it doesn’t happen again.

To test out this hypothesis, we conducted a survey on Spiceworks. For those unfamiliar, Spiceworks has a large and vibrant technology community – one that extends beyond security, but is often made up of technology professionals that have varying degrees of security responsibility in their jobs.

In other words, the Spiceworks community are the ‘do-ers’, the ones at the coalface – so they represent perhaps one of the best section of technologists to ask.

Getting things done

One would expect that in the aftermath of such high-profile and devastating attacks, IT projects would be green lit and the money would start flowing.

The reality is a lot more subdued, with only 14% of respondents stating their cyber security budgets have increased, and only a fifth (20%) have been able to implement changes or projects that were previously put on hold.

The flip side

While budget may not be as free-flowing as one may assume, it doesn’t mean that companies have been completely negligent. 65% of respondents stated they are more up-to-date with patching than they were previously, and half say they are using threat intelligence more regularly to stay ahead of emerging threats. With a further 58% claiming to have carried out a review of their organizations cyber security posture following the attacks.

This is encouraging, as it means companies are not completely ignoring the challenges they face – and are leveraging existing investments to help get their companies in a better position.

Although, as the attacks have shown, prevention alone isn’t enough and it would also be prudent for organizations to focus their efforts on threat detection and response.

A makeover?

For IT professionals, 22% said their family and friends are more interested in hearing about their work, and 27% believe most people in their organization listen to their IT advice more than they did before.

Unfortunately, it hasn’t translated to great financial rewards with 10% have experienced an increase in job offers, or managed to negotiate a pay increase following the attacks.

Incident Apathy?

IT Security remains a challenging environment within which to work where resilience is the key to success. The sheer number of incidents that are reported on an almost daily basis may also be a contributing factor towards organizational apathy towards incidents.

While attacks cannot be prevented, and IT Security may be a cost that organizations have to bear as a price of doing business in the digital age. It doesn’t necessarily mean that there are no options.

Many security fundamentals can be implemented with little capital needed to source new products. Rather these can be put in place with procedural changes or by dedicating time for staff to undertake security tasks. These security tasks should also cover threat detection, to monitor environments to ensure there are no signs of suspicious activity. Rapid response to any incident could help limit the impact and cost of recovery.