Security and education in the wake of WannaCry, Petya

Attacks occur for a variety of reasons, and in the wake of the most widespread ransomware attacks, WannaCry and Petya, many organizations are re-evaluating their security practices to figure out what went wrong.

While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and can’t be patched are looking for ways to prevent being the next victim. 

No, the vulnerabilities attackers leverage are not new. They prey on systems that have not been updated, said Carson Sweet, CTO of CloudPassage.

There is no one-fits-all fix, but Sweet offered some sound advice on a variety of both long- and short-term solutions.

What might have helped protect companies from these worm-like ransomware attacks?

The important thing to remember is that WannaCry and Petya were, in actuality, easily preventable. Victims of these attacks were only victims because they failed to conduct basic software patching. Enterprises searching for a way to protect themselves should know there are several tools on the market that use automation to patch software vulnerabilities in real time.

Automation is one way to close the gap, but we also need to train developers, at the very earliest stage of their education, to bake security into all new code. It’s no longer enough to tack cybersecurity onto projects as an afterthought anymore.

Other security measures enterprises can take

Having readily available data backups is the best way to maintain business continuity in the face of an attack. Keeping good, fresh data backups allows enterprises to rebuild systems quickly and inexpensively. In the face of a ransomware attack, there’s no longer a need to pay the ransom because the enterprise already has a recent backup of all the data it needs.

How the industry needs to approach security education to prepare for the future

When we look at the bigger picture and the future of cybersecurity, the issue of education is critical. A recent Cisco report estimates there are 1 million unfilled cybersecurity positions globally. Here in the U.S., that number is about 100,000. It’s a crisis that directly hurts the ability of companies and governments to curb hacking because there simply isn’t enough available talent to fill those jobs.

How schools and universities can better prepare the next generation to combat future threats to our digital world

Cybersecurity training has not been a priority for the American education system. Universities are inadvertently contributing to the lack of cybersecurity readiness in the U.S. by failing to teach students how to implement security thinking and awareness into all new code design, development and testing. As recently as 2016, only one of the top 121 computer and science information science schools in the country required at least three cybersecurity classes before graduation. At a minimum, cybersecurity training must be a graduation requirement for all computer science programs.

To keep up with the ever-increasing challenges of hackers, though, there is no choice for but to prioritize cybersecurity education for our future.