Why we’re ignoring the real lesson of WannaCry

One year on, why does no one WannaLearn?

hacking and ransomware

Saturday marks exactly one year since the outbreak of the WannaCry ransomware epidemic that hit more than 300,000 computers, affecting major organisations including the NHS, where more than 40 trusts were forced to delay or cancel operations.

WannaCry made headlines around the world, drawing the attention of governments and regulators to the often woeful lack of cyber security within many large businesses and public sector bodies.

But one year on, have we learned anything? The answer, I would argue, is no. Basic IT failures are still happening, stupid security mistakes are still being made and no one, it would seem, has learned a damn thing.

As a case in point, let's take the WannaCry attack itself. As malware goes, WannaCry was not particularly sophisticated - at least, not from a technical standpoint. The reason it was able to spread so prolifically is that it took advantage of two pre-existing vulnerabilities: EternalBlue and DoublePulsar. These were critical vulnerabilities, allowing WannaCry to propagate itself exponentially.

Here's the rub, though: these exploits weren't zero-days. Microsoft had issued patches for them months before the outbreak even occurred. This, if nothing else, is the lesson of WannaCry: patch your damn systems. It shouldn't be that difficult, and it is one of the most basic steps that anyone can take to secure themselves. And yet, according to a Tanium study marking the dubious anniversary, two-thirds of organisations have not improved their patch management systems in the wake of WannaCry.

Of course, part of the blame for why no lessons have been learnt from WannaCry can be laid squarely at the feet of the security industry. For a solid year, virtually every cyber security firm in the world has been using the WannaCry outbreak as a big, scary stick which it can use to beat people into purchasing its protections. "See," they say; "this is what happens when you don't have a polymorphic, exoplasmic, hyper-next-gen 360-degree threat neutralisation suite! That'll be $300,000 per year, please."

Security vendors are right, up to a point; threats like WannaCry are a big deal, and organisations need to do more to prepare for them. What the infosec companies are conveniently leaving out, however, is that a surprisingly large proportion of threats can be stymied simply by applying software patches as soon as they are available. This isn't a substitute for having a solid security system in place, admittedly. But then, having a security system is no excuse for neglecting to apply patches either.

Don't get me wrong, I understand that updating software can be a total pain in the neck. Like testing your smoke alarm every two weeks, it's something we know we should do, but don't. We've all been guilty of repeatedly postponing that earnest little alert informing us that honestly, it's really rather important that we apply this update - I've been ignoring one such update for about two weeks on the trot, because it keeps coming up at inconvenient times.

It's a bad habit, though, and it's one that security firms should be helping all of us to break. The simple fact is that, alongside good password hygiene, a disciplined update schedule is the foundation of effective security. Without it, even the most sophisticated security suite is little more than a castle built upon sand.

If the IT industry as a whole takes one lesson from WannaCry, let it be this: take the time to update your systems. Patch fully, and patch often.

You don't have to make it your number one priority (although by rights, it should be) but make sure it's at least in the top three. If you're considering shelling out for a new security package to fight the growing tide of ransomware threats, take a look at your patch procedure first, because if you take care of your patches, then in most cases, they'll take care of you.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Unilever adopts Google Cloud’s complex data processing for deforestation drive
big data analytics

Unilever adopts Google Cloud’s complex data processing for deforestation drive

22 Sep 2020