The WannaCry attack should raise cybersecurity to the top of organizations’ To Do lists. If not now, when?
The WannaCry ransomware attack has been a disaster for affected users and organizations
It spread due to continued use of unpatched or even unsupported Windows versions
This renews the emphasis on the basics of endpoint security and recoverability
What needs to be done?
The news about the WannaCry ransomware attack hit the headlines whilst I was speaking at OCG’s Identity and Cybersecurity Forums at Microsoft’s HQ in New York.
I was talking about the transformational trend towards modern security measures that make use of machine learning to counter sophisticated attackers who are using intelligent attack tools. Attendees at the event – representing organizations well informed and well funded in IT – were uniformly relaxed (after some initial nervousness) about the attack because they were confident in their security foundations.
However, the widespread damage that this attack has caused worldwide, illustrates just how many organizations are not in this position and, for me, the WannaCry story demonstrates both how well and how badly the industry works.
Patches and LEgacy
Microsoft had actually released a patch for Windows 7 in March, only a few days after the specific vulnerability became public. But despite the emphasis put on patch management for years, a depressing number of Windows XP computers remained unpatched. In some cases this was because legacy software may have stopped working – but even this is not much of an excuse.
The Brutal Truth
Whilst it is of course unfortunate when a private individual loses access to their data, failures in critical systems in, say, hospitals have far wider and more serious ramifications, and the need for action is therefore more urgent. The brutal truth is that organizations need to recognize that, like it or not, they are dependent on their IT infrastructure. However much it seems that IT should take second place behind the primary mission of the organization (be it patient care, government administration, commercial activity or whatever) the loss of IT services directly disrupts this primary mission.
I don’t imagine that any IT managers are unaware of the security risks of old, unsupported software or the need for patch management. So perhaps it takes a major attack like WannaCry to raise the priority of basic cybersecurity hygiene measures so that the individuals who control budget and resources understand that the risks are real, that they will keep coming, and that continuous effort is needed to replace outdated systems and to ensure that infrastructure is kept up to date.
Planning is key
Windows 7 is supported until the beginning of 2020. While this is hardly tomorrow, it is also within 3 years, which is a common hardware refresh cycle. If organizations are still deploying new Windows 7 systems today, at the start of 2020 they will be facing another Windows XP moment – upgrading older hardware to a supported OS in a compressed timeframe, incurring the capital and implementation costs that this implies, or living with the risk of just such an attack as this.
So what can be done?
There is much to be done to counter really sophisticated attacks, but we can’t have that conversation until the basics are covered. This attack should provide the impetus needed to fix them. If not now, then when?
- Without funding and resources, the best plans are worthless. This well-publicised malware attack should provide decisive impetus to get the funding and resources required to deliver basic endpoint security.
- Out-of-support software must be replaced – no exceptions.
- Backups, particularly offline/offsite storage of backup, are essential for recoverability.
- It is time to be thinking about, and planning for, the migration away from Windows 7 – support expires in less than 3 years, less than most hardware refresh cycles.
- Statement from Brad Smith, Microsoft President and Chief Legal Officer
- Microsoft Customer Guidance for WannaCrypt attacks
- Ransomware FAQs
Does your organization need an expert, independent review of its cybersecurity posture? An Oxford Computer Group Security Transformation Review is a great place to start.
Footnote: This blog was updated to correct an inaccuracy concerning the timing of the Windows XP patch on 30 May 2017