Five years ago, on Friday, 12 May 2017, I had an epiphany. Back then, I was an IT architect in Copenhagen for a large multinational energy company. I was working from home when the WannaCry ransomware variant — which weaponised a stolen NSA exploit known as EternalBlue — began its vicious rampage through hundreds of thousands of devices in more than 150 countries.

Although the ransomware variant generated less than $200,000 in revenue for its authors, it inflicted losses running into the billions of dollars. It closed hospitals in Great Britain, banks in Russia, a German railway, and a Spanish telecom before a researcher named Marcus Hutchins accidentally activated a kill switch embedded in the code.

Sitting at home watching this unfold, I felt both a professional dread and a profound clarity. The perimeter was gone. The castle-and-moat model — which assumed that everything inside the network was trusted and everything outside was not — had been exposed as catastrophically inadequate. WannaCry didn't need to trick anyone into clicking a phishing link. It exploited a vulnerability in the Windows SMB protocol and spread laterally across flat networks with terrifying speed. Every unpatched Windows machine on a connected network was a potential victim.

The lesson that should have changed everything

WannaCry was a clear demonstration that the old model of network security — defined by perimeter firewalls and implicit trust within the network — was broken beyond repair. An attacker who gained a foothold inside the perimeter had effectively won. Lateral movement was trivial. The blast radius was enormous.

The answer, which I began implementing shortly after WannaCry, was zero trust: the principle that no user, no device, and no connection should ever be implicitly trusted, regardless of whether it originates inside or outside the corporate network. Every request for access must be verified. Every connection must be authorised. Every user must have access only to what they need and nothing more.

Micro-segmentation — dividing the network into small, isolated zones so that lateral movement is impossible without explicit authorisation — is a direct response to the lesson WannaCry taught. If every application and workload is isolated from every other by default, a ransomware attack cannot spread. The blast radius is contained.

Five years later, we still haven't fully learned

Five years on from WannaCry, zero trust adoption is surging. But by and large, we missed the wake-up call. We certainly didn't learn the lessons of WannaCry in time for NotPetya, which struck just six weeks later and caused an estimated $10 billion in damage. Five years on, it's still unacceptably common to have users on a flat network with applications not segmented.

The good news is that the tools and frameworks now exist to implement zero trust at scale. The bad news is that urgency remains in short supply. Every organisation that delays its zero trust transformation is making a bet that the next WannaCry won't find them first. It's a bet I wouldn't take.

Since life's most important teachings are often borne from the most difficult experiences, we'd do well to internalise the lessons of the past to avoid future pain. The clock is ticking.

Originally published on CXO REvolutionaries, Zscaler · 12 May 2022.