Just about a month after the deadly WannaCry ransomware affected Windows-based computing systems globally, the outbreak of another highly virulent ransomware, Petrwrap/Petya, has hit governments, corporations, and institutions alike.
Unlike WannaCry, which merely scrambled data files, Petrwrap overwrites a computer’s master boot record, making it tougher to restore even a backed-up machine. As per the latest statistics, Ukraine, the US, Russia, France, the UK, and Germany are the worst affected (in that order), with big multinational companies like Merck, Mondelez, Oreo, and Nabisco getting impacted. Not surprisingly, India is the worst-hit in Asia. The Jawaharlal Nehru Port Trust made big news after it was hit by the virus.
Usually, ransomware is a malicious programme that encrypts a user’s files while self-replicating on other vulnerable machines on the same network. This one seems to have different traits and has experts divided on whether it is ransomware or a deliberate cyber attack. It seems the ransomware attack is not motivated by any financial agenda, but aimed at massive destruction of data.
With our money and asset ownership going digital, it is important that adequate caution is exercised. We may or may not be able to stall such attacks, but their impact can at least be managed.
No doubt, all companies and individuals are at risk, since ransomware can impact any computer system. The extent of damage, however, depends on the level of preparedness.
So, what can one do to thwart such attacks? There is no magic pill. Information technology and cybersecurity call for constant efforts to prepare organisations against such attacks. However, the efforts would mostly fall under the following categories.
1. Assessment and upgradation of IT hardware and software
2. Sprucing up backup management
3. Disaster management and recovery plan
4. Testing all the above for effectiveness in case of a real threat
5. Conducting regular system/risk audits for vulnerability assessment
6. Restricting sources of data transmission to and from computers in the organisation
7. Last but not least, a culture of security needs to be imbibed among employees through training and mock-runs
In today’s connected world, where all our information and details are available online, data is the new money. It is paramount to have a strong control system, including a strong IT policy in place, to protect the organisation and customer data. Data loss/theft may become a huge reputational risk for the organisation, and may even see heads roll, as happened with Sony Corp, Target and other firms that were victims of cyber-attacks. Depending on the data at risk, organisations may also face demands of ransom from hackers.
Given the stakes involved, there is no excuse for a lack of preparedness. Businesses must stop acting on a reactive basis. On the other hand, the government needs to amend the Information Technology Act to make it more specific and give it more teeth, so that the roles and responsibilities are clearly chalked out and corporate agencies are held accountable in case of such offences. There is also a need for public-private partnership and international cooperation to detect, investigate, and prosecute the attackers.
It may be a little late, but India should nevertheless enact its cyber-security legislation, providing better clarity on the roles, responsibilities, and liabilities of stakeholders, and suggest a proactive protection mechanism.
Nirav Maniar is partner and head of corporate legal and IT at financial services firm International Business Advisors.
Like this Opinion? Sign up for our daily newsletter to get our top reports.