In mid-May, hackers unleashed WannaCry ransomware, which encrypts victims' computer files and demands a ransom to restore the encrypted data. So far it's the largest cyberattack the world has experienced, impacting more than 200,000 victims in at least 150 countries, according to CNNMoney.
The exploit isn't good news for anyone, especially its victims, but it presents an opportunity for IT consultants to educate clients about the importance of cyber security. Taking the time to educate clients can also help your defense if a customer experiences a cyber attack, blames you, and sues.
Why WannaCry Never Needed to Happen
One of the most frustrating parts of the WannaCry attack is that it never would have happened if computer users diligently installed software updates and patches. The virus spread by taking advantage of a vulnerability in older versions of Microsoft Windows. Microsoft actually released a security patch to fix the issue a few months earlier, but hackers bet on the fact that a lot of users didn't install the patch. Turns out they were right.
"WannaCry could have been prevented if computer systems were patched properly and there was a larger focus on end-user training related to cyber security," says
(@techassociateNC), a managed IT services provider.
As reported by The Verge, the majority of people impacted by the virus were running Windows 7, an outdated version of the operating system. The virus hit large organizations, such as FedEx and the UK's National Health Service. However, the majority of the victims were consumers or small-business owners, who perhaps don't have the resources to upgrade.
"It can be challenging for smaller businesses to upgrade and keep current, which could be one reason they bore the brunt of this attack," says
Tom Evans, a
retired IT professional who provides security awareness training for
Ashton Technology Solutions
(@AshtonSolutions). "Some businesses are trapped with older business software that will not run on modern operating systems and they can't afford the upgrade."
The results of a cyberattack can be disastrous for small-business owners. In fact, six out of 10 small businesses go out of business following a cyber attack, according to CNET.
Expert Tips on How to Talk to Clients about Cyber Security
WannaCry is a good opportunity for IT consultants to talk to clients about IT best practices that limit exposure to hackers and ransomware. We asked some IT consultants to share the advice they give to clients and how they proactively talk to customers about cyber security.
Ken Johnson (@cktricky),
chief technology officer at
(@nVisium), a leading applications security firm, always tells clients to "update software using official updates." He advises you tell clients not to trust unofficial sites that say they've detected malware on the machine or spotted outdated software.
If he were talking directly to a client, Johnson would also say, "Be careful of the sites you visit and the programs you install. Remember, antivirus solutions are only effective a small percentage of the time no matter what the vendors tell you, so even if you install this software, you still have to be intelligent about your computer use."
Eric Hobbs recommends using the latest threats as an opening to educate clients.
"We continuously train our users on cybersecurity," says Hobbs. "When a new threat is seen, we immediately get it out to our user community so they have a heads up and are prepared when and if they receive a similar phishing email. No antimalware software is perfect and zero-day exploits will be employed. But a user who is aware of common hacker tactics would prevent the majority of these types of outbreaks."
Hobbs says he also reviews the basics with customers, such as how to install antimalware protection, patch systems, and use security controls to limit what sites users can access.
Tom Evans also stresses the importance of cyber security awareness training with clients.
"If you have some success stories, share them," suggests Evans. He also recommends:
- Emphasizing the need for inbound email filtering.
- Filtering attachment types.
- Using firewalls to restrict traffic to suspect areas of the world.
"If you don't do business in Russia, there is no reason to allow your network to go there," says Evans.
You can also share our eBook Small Business Guide to Identity Theft Prevention and Data Security with your clients. It was written with the small-business owner in mind, and provides actionable tips on how they can protect their data.
Why Teaching IT Best Practices Can Help Your Customers – and You
As an IT consultant, you're on the front lines in the war against computer viruses. It's your job to not only stop viruses in their tracks, but to educate your customers on how to avoid getting them in the first place.
The problem is even if you take every security measure you can think of on their behalf, you can't control everything. All it takes is one unwitting employee to click on the wrong link for hackers to steal or encrypt your client's data.
If a client sues, claiming that you didn't do enough to protect them from cybercrime, your Errors & Omissions Insurance can help. Most Errors & Omissions Insurance policies include third-party Cyber Liability Insurance that can help cover lawsuits over a client's data breach. It can pay for:
- Attorney fees.
- Court costs.
- Court-ordered damages, if you're found liable.
- Other legal expenses.
To learn more about which party is responsible for breaches, read "When Data Is Compromised, Who Is Responsible?"
About the Contributors
Tom Evans currently provides contract security awareness training for Ashton Technology Solutions and blogs about security issues. He is mostly retired after working in the IT industry for approximately 35 years. He enjoys spending time bird watching with his wife, and hopes to get back into scuba diving this summer.
Eric Hobbs started as a network administrator for a professional liability insurance carrier in 1991, and was later promoted to IT manager. In 1997, Eric started Technology Associates with the mission to provide "big company IT" to businesses that didn't have an IT staff. Over the years, Eric has worked with businesses large and small to help leverage technology for a competitive advantage.
Ken Johnson is the chief technology officer of nVisium and leads the company's product development efforts. Ken is obsessed with code, passionate about the open source community, and genuinely loves to create. With over 12 years in the industry, Ken regularly speaks at conferences and events such as CERN, AppSec USA, DerbyCon, LASCON, AppSec California, DevOpsDays Austin & DC, Insomni'hack, and RubyConf.