Why we’re ignoring the real lesson of WannaCry

One year on, why does no one WannaLearn?

hacking and ransomware

Saturday marks exactly one year since the outbreak of the WannaCry ransomware epidemic that hit more than 300,000 computers, affecting major organisations including the NHS, where more than 40 trusts were forced to delay or cancel operations.

WannaCry made headlines around the world, drawing the attention of governments and regulators to the often woeful lack of cyber security within many large businesses and public sector bodies.

But one year on, have we learned anything? The answer, I would argue, is no. Basic IT failures are still happening, stupid security mistakes are still being made and no one, it would seem, has learned a damn thing.

As a case in point, let's take the WannaCry attack itself. As malware goes, WannaCry was not particularly sophisticated - at least, not from a technical standpoint. The reason it was able to spread so prolifically is that it took advantage of two pre-existing vulnerabilities: EternalBlue and DoublePulsar. These were critical vulnerabilities, allowing WannaCry to propagate itself exponentially.

Here's the rub, though: these exploits weren't zero-days. Microsoft had issued patches for them months before the outbreak even occurred. This, if nothing else, is the lesson of WannaCry: patch your damn systems. It shouldn't be that difficult, and it is one of the most basic steps that anyone can take to secure themselves. And yet, according to a Tanium study marking the dubious anniversary, two-thirds of organisations have not improved their patch management systems in the wake of WannaCry.

Of course, part of the blame for why no lessons have been learnt from WannaCry can be laid squarely at the feet of the security industry. For a solid year, virtually every cyber security firm in the world has been using the WannaCry outbreak as a big, scary stick which it can use to beat people into purchasing its protections. "See," they say; "this is what happens when you don't have a polymorphic, exoplasmic, hyper-next-gen 360-degree threat neutralisation suite! That'll be $300,000 per year, please."

Security vendors are right, up to a point; threats like WannaCry are a big deal, and organisations need to do more to prepare for them. What the infosec companies are conveniently leaving out, however, is that a surprisingly large proportion of threats can be stymied simply by applying software patches as soon as they are available. This isn't a substitute for having a solid security system in place, admittedly. But then, having a security system is no excuse for neglecting to apply patches either.

Don't get me wrong, I understand that updating software can be a total pain in the neck. Like testing your smoke alarm every two weeks, it's something we know we should do, but don't. We've all been guilty of repeatedly postponing that earnest little alert informing us that honestly, it's really rather important that we apply this update - I've been ignoring one such update for about two weeks on the trot, because it keeps coming up at inconvenient times.

It's a bad habit, though, and it's one that security firms should be helping all of us to break. The simple fact is that, alongside good password hygiene, a disciplined update schedule is the foundation of effective security. Without it, even the most sophisticated security suite is little more than a castle built upon sand.

If the IT industry as a whole takes one lesson from WannaCry, let it be this: take the time to update your systems. Patch fully, and patch often.

You don't have to make it your number one priority (although by rights, it should be) but make sure it's at least in the top three. If you're considering shelling out for a new security package to fight the growing tide of ransomware threats, take a look at your patch procedure first, because if you take care of your patches, then in most cases, they'll take care of you.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021