I have frequently blogged about human resources departments’ role in preventing data breaches in their organizations and to date have largely focused on training employees to recognize and respond phishing exploits designed to encourage employees to click on email links or attachments that contain malware. See for example here, here and here. But, in what some have been calling the biggest cyberattack ever, the recent “Wannacry” ransomware apparently seeks out computers containing a vulnerability in the Microsoft Windows operating system, which permitted the ransomware to infect approximately 200,000 computers in 150 countries across the globe. No clicking required.
The tools to create the attack reportedly were developed by and then later stolen from the National Security Agency. Although Microsoft has issued a patch to address the vulnerability and reports indicate that the spread of this version of Wannacry has been stemmed for the time being, this certainly won’t be the last ransomware attack we see.
While any technological steps that organizations can take to reduce their own vulnerabilities in the future go far beyond my understanding, human resources departments can help protect their organizations by creating a cyber-aware culture. In addition to training employees to be suspicious of any external email links and attachments, here are two additional steps that can be taken immediately:
- Require and then train the workforce on good cyber hygiene. For instance, require strong passwords that must be changed periodically and constantly remind employees to assist the IT department to apply software patches on all employee workstations by shutting down nightly.
- Work with the IT department to eliminate or at least reduce employees’ need to work on personal devices other than through a virtual private network (VPN). Encourage employees who do work from home to use only secure wifi networks and to keep their antivirus and anti-malware software up-to-date.