Why we’re ignoring the real lesson of WannaCry
One year on, why does no one WannaLearn?
Saturday marks exactly one year since the outbreak of the WannaCry ransomware epidemic that hit more than 300,000 computers, affecting major organisations including the NHS, where more than 40 trusts were forced to delay or cancel operations.
WannaCry made headlines around the world, drawing the attention of governments and regulators to the often woeful lack of cyber security within many large businesses and public sector bodies.
But one year on, have we learned anything? The answer, I would argue, is no. Basic IT failures are still happening, stupid security mistakes are still being made and no one, it would seem, has learned a damn thing.
As a case in point, let's take the WannaCry attack itself. As malware goes, WannaCry was not particularly sophisticated - at least, not from a technical standpoint. The reason it was able to spread so prolifically is that it took advantage of two pre-existing vulnerabilities: EternalBlue and DoublePulsar. These were critical vulnerabilities, allowing WannaCry to propagate itself exponentially.
Here's the rub, though: these exploits weren't zero-days. Microsoft had issued patches for them months before the outbreak even occurred. This, if nothing else, is the lesson of WannaCry: patch your damn systems. It shouldn't be that difficult, and it is one of the most basic steps that anyone can take to secure themselves. And yet, according to a Tanium study marking the dubious anniversary, two-thirds of organisations have not improved their patch management systems in the wake of WannaCry.
Of course, part of the blame for why no lessons have been learnt from WannaCry can be laid squarely at the feet of the security industry. For a solid year, virtually every cyber security firm in the world has been using the WannaCry outbreak as a big, scary stick which it can use to beat people into purchasing its protections. "See," they say; "this is what happens when you don't have a polymorphic, exoplasmic, hyper-next-gen 360-degree threat neutralisation suite! That'll be $300,000 per year, please."
Security vendors are right, up to a point; threats like WannaCry are a big deal, and organisations need to do more to prepare for them. What the infosec companies are conveniently leaving out, however, is that a surprisingly large proportion of threats can be stymied simply by applying software patches as soon as they are available. This isn't a substitute for having a solid security system in place, admittedly. But then, having a security system is no excuse for neglecting to apply patches either.
Don't get me wrong, I understand that updating software can be a total pain in the neck. Like testing your smoke alarm every two weeks, it's something we know we should do, but don't. We've all been guilty of repeatedly postponing that earnest little alert informing us that honestly, it's really rather important that we apply this update - I've been ignoring one such update for about two weeks on the trot, because it keeps coming up at inconvenient times.
It's a bad habit, though, and it's one that security firms should be helping all of us to break. The simple fact is that, alongside good password hygiene, a disciplined update schedule is the foundation of effective security. Without it, even the most sophisticated security suite is little more than a castle built upon sand.
If the IT industry as a whole takes one lesson from WannaCry, let it be this: take the time to update your systems. Patch fully, and patch often.
You don't have to make it your number one priority (although by rights, it should be) but make sure it's at least in the top three. If you're considering shelling out for a new security package to fight the growing tide of ransomware threats, take a look at your patch procedure first, because if you take care of your patches, then in most cases, they'll take care of you.