The WannaCry ransomware attack ended up causing tens of millions of dollars of damage when it encrypted important data at business, hospitals and government offices around the world. Unfortunately, many of the victims are to blame in this case because they fell for a phishing message that attacked systems that were not properly updated. This worm attacked more than 200,000 computers in 150 countries. Now that researchers have had time to analyze this self-replicating attack, they’re learning details that shed new and sometimes surprising light on the world’s biggest ransomware attack.
Well over half of the infections hit computers that were running Windows 7 whereas Windows XP incidents were practically non-existent. It seems that the 64bit Windows 7 OS version, which is widely used by larger organizations, was infected at close to twice the rate as the other Windows 7 versions that are mostly used in homes and small offices. Based on these findings, it looks like the scope of the damage in the big business community was much greater than initially thought.
The crazy thing is that two months ago Microsoft issued a patch for the vulnerability that WannaCry exploits. Any systems that received the patch were unaffected. So in each business that got hit, decisions were made (or avoided) that kept the patch off their systems thus leading to the compromise.
Perhaps some of the impacted systems were devices running software applications that just weren’t ready for this Microsoft patch. In other cases the vendors are out of business so there weren’t any available software updates making the systems vulnerable to many kinds of breaches.
Some businesses have stated that they have applications so important that they can’t even be taken down for critical updates (which often require a system reboot). Is avoiding a planned downtime better than opening up the very real risk of an unplanned downtime of unknown duration? It is possible that some organizations have spent the last two months testing the patches and the clock ran out before they could “bless” the changes.
There are ways to mitigate risks by isolating the systems and locking down security. This is a basic system protection principle.
We live in a dangerous world and, at this point, anyone responsible for computer systems knows that hackers are constantly probing for weaknesses. It is hard to claim that the patching process isn’t needed as protection.
The real news on this story is that budgets are so tight that security work is often underfunded and undervalued. If security activities were given a higher priority, the patches could have been tested and deployed in a timely fashion. At NPI Technology Management the technicians aggressively patch our clients’ systems and no one experienced an impact from WannaCry.
Shame on corporate leaders, business owners and IT staff who ignored the well-known risks associated with unpatched systems. If the fix was skipped due to concerns about an application they need to choose a new Microsoft-compatible application vendor.
Perhaps the success of the attacks on the British NHS was due to a lack of funding for technology updates. Maybe the hospital auditors looked the other way when they knew the work couldn’t be done. If so, this compounds the error because the medical auditors I know have recommended aggressive patching and strong controls for many years.
Financial managers have to understand that, when they make a business decision to shave the security budget, they are boosting the probability of higher risks. Too many organizations apparently hit the snooze button on their daily obligation to keep systems updated and secure. In my book, these are negligent security practices.
So what are the lessons for small business managers?
- Set Operating System updating to be automatic
- Rapidly resolve issues with systems that can’t be patched
- Reboot all devices each time a new patch is installed
- Choose applications that are fully compatible with Microsoft; replace those that aren’t
- As your last line of defense and to avoid paying ransom, schedule frequent backups and verify them often
The millions of businesses that did these five things were protected from WannaCry. This event is another reminder that ultimately each organization has to take responsibility for their own security and take disciplined actions to avoid the financial and reputational costs of a security breach.