WannaCry ransomware has locked up IT systems at hospitals, government agencies and manufacturers around the globe, but U.S. banks have gone largely untouched, thanks to their embrace of powerful cybersecurity measures.
U.S. banks managed to remain unscathed because they rapidly apply new software security patches and regularly back up data, according to Steve Silberstein, chief executive of Sheltered Harbor LLC, an industry group that provides disaster recovery resources to the finance companies.
“There’s a commitment to staying current with patches and threats,” said Silberstein, who was quoted in a recent a recent WSJPro article. “It’s also a big commitment to educating staff about the risks. In a nutshell, for banks, cybersecurity is taken very seriously as a daily part of running the business, from the board all the way down to the individual employee.”
WannaCry ransomware is designed to encrypt victims’ digital files and hold them hostage until a ransom is paid. The malicious software first made headlines last Friday when it caused IT disruptions to at least 36 hospitals throughout Great Britain. By Monday, WannaCry had spread to more than 200,000 systems worldwide. Nissan Motors, Hitachi, FedEx, China National Petroleum and Sberbank of Russia are just some of the organizations that have been affected.
WannaCry spreads through infected email links and email attachments. Once the virus is unleashed, it self-replicates and spreads itself across IT networks. That’s what makes WannaCry so dangerous, according to Mohamad Ali, president and CEO of Carbonite.
“WannaCry used a security flaw in the Microsoft operating system to spread itself across networks,” Ali said. “Given that there will always be software vulnerabilities out there, it’s really important that businesses follow the example of U.S. banks and back up everything that they have.”
Advanced patching sets banking industry apart
Banks have faced their share of cybercrime, including a series of Distributed Denial of Service attacks that targeted American financial institutions in 2013 and 2014. But experts say U.S. banks rarely fall victim to cybersecurity incidents that result from failure to apply patches.
That’s no small feat. Many businesses fail to apply security patches is a timely fashion because doing so takes a great deal of planning, strategy and testing, especially when dealing with complex IT environments with many interdependent systems.
The U.S. banking industry solved this problem many years ago by investing in streamlined patching processes, according to Michael Daniel, president of the Cyber Threat Alliance.
“It’s very easy for the bank to say, I can make this $5 million investment here and prevent this $50 million threat over there,” Daniel told WSJPro. “Other companies may see the cost of doing cybersecurity but don’t see the benefit of it in dollar terms up front. This is why the financial services industry has gotten mature faster than other industries.”