Cayman Islands IT departments worked overtime during the holiday weekend as businesses scrambled to protect their data against a global ransomware attack that affected an estimated 200,000 victims in more than 150 countries.
While Cayman’s Financial Crime Unit reported no local complaints, the “WannaCry” malware attack set off alarms and forced many businesses to implement last-minute protection measures.
KPMG cybersecurity principal Micho Schumann said the cyberattack exploited a flaw in older Microsoft operating systems, like Windows XP. Users who had not installed proper updates and followed the malware link found their files encrypted and a demand for US$300 to US$600 in bitcoins to have their data released.
“The way this ransomware was different from previous ones we’ve seen is it’s also a worm. It re-propagates itself. Once it’s on your network, it’ll jump and go infect other computers and systems. It won’t hit just one desktop. It will look for other stuff,” he said.
Mr. Schumann warned that another attack could be imminent, and that companies should not assume they are safe from infiltration. He said proper staff training, system updates and adequate backup files can prevent potential headaches.
“This isn’t going away anytime soon. Companies need to be vigilant,” he said.
EShore CEO Polly Pickering spent the weekend working to address the attack. She said fear of embarrassment prevents many companies from coming forward about cybercrimes, making it difficult to measure the true local impact.
She said businesses, especially those that protect stakeholder data, must take such threats seriously and implement an emergency response plan, just as they would for a hurricane or earthquake.
“People used to think their assets were dollars in the bank, [but] now it’s digital assets that need to be protected,” she said.
She compared cyber defense to outrunning a zombie. Hackers exploit weakness and will target the easiest victims.
“You don’t have to run fast, just faster than the other guy,” she said.
Ms. Pickering recommends companies pursue multiple lines of defense, including firewalls, anti-phishing programs, backup files and staff training. She said 91 percent of attacks come from emails, emphasizing the human factor in cyber breaches.
“We think humans should become the first line of defense, not the last line. If humans don’t click on it, it’s not going to get in,” she said.
Mr. Schumann added that companies should move away from outdated operating systems like Windows XP, which no longer receive regular Microsoft updates.
“Updates [for these systems] are just buying time because these operating systems are dying,” he said.
Regarding whether victims should pay their hackers, Ms. Pickering said the answer is complicated. In some jurisdictions, she warned, payment is illegal and turns the victim into an accomplice of organized crime.
“This isn’t just some kid in a hoodie. This is big business now. … People have pensions and health plans. They go to work. For them, this is a job,” she said.