Why we’re ignoring the real lesson of WannaCry

One year on, why does no one WannaLearn?

hacking and ransomware

Saturday marks exactly one year since the outbreak of the WannaCry ransomware epidemic that hit more than 300,000 computers, affecting major organisations including the NHS, where more than 40 trusts were forced to delay or cancel operations.

WannaCry made headlines around the world, drawing the attention of governments and regulators to the often woeful lack of cyber security within many large businesses and public sector bodies.

But one year on, have we learned anything? The answer, I would argue, is no. Basic IT failures are still happening, stupid security mistakes are still being made and no one, it would seem, has learned a damn thing.

As a case in point, let's take the WannaCry attack itself. As malware goes, WannaCry was not particularly sophisticated - at least, not from a technical standpoint. The reason it was able to spread so prolifically is that it took advantage of two pre-existing vulnerabilities: EternalBlue and DoublePulsar. These were critical vulnerabilities, allowing WannaCry to propagate itself exponentially.

Here's the rub, though: these exploits weren't zero-days. Microsoft had issued patches for them months before the outbreak even occurred. This, if nothing else, is the lesson of WannaCry: patch your damn systems. It shouldn't be that difficult, and it is one of the most basic steps that anyone can take to secure themselves. And yet, according to a Tanium study marking the dubious anniversary, two-thirds of organisations have not improved their patch management systems in the wake of WannaCry.

Of course, part of the blame for why no lessons have been learnt from WannaCry can be laid squarely at the feet of the security industry. For a solid year, virtually every cyber security firm in the world has been using the WannaCry outbreak as a big, scary stick which it can use to beat people into purchasing its protections. "See," they say; "this is what happens when you don't have a polymorphic, exoplasmic, hyper-next-gen 360-degree threat neutralisation suite! That'll be $300,000 per year, please."

Security vendors are right, up to a point; threats like WannaCry are a big deal, and organisations need to do more to prepare for them. What the infosec companies are conveniently leaving out, however, is that a surprisingly large proportion of threats can be stymied simply by applying software patches as soon as they are available. This isn't a substitute for having a solid security system in place, admittedly. But then, having a security system is no excuse for neglecting to apply patches either.

Don't get me wrong, I understand that updating software can be a total pain in the neck. Like testing your smoke alarm every two weeks, it's something we know we should do, but don't. We've all been guilty of repeatedly postponing that earnest little alert informing us that honestly, it's really rather important that we apply this update - I've been ignoring one such update for about two weeks on the trot, because it keeps coming up at inconvenient times.

It's a bad habit, though, and it's one that security firms should be helping all of us to break. The simple fact is that, alongside good password hygiene, a disciplined update schedule is the foundation of effective security. Without it, even the most sophisticated security suite is little more than a castle built upon sand.

If the IT industry as a whole takes one lesson from WannaCry, let it be this: take the time to update your systems. Patch fully, and patch often.

You don't have to make it your number one priority (although by rights, it should be) but make sure it's at least in the top three. If you're considering shelling out for a new security package to fight the growing tide of ransomware threats, take a look at your patch procedure first, because if you take care of your patches, then in most cases, they'll take care of you.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
FedEx and DHL phishing emails target Microsoft users
phishing

FedEx and DHL phishing emails target Microsoft users

24 Feb 2021
Hackers are using Google Alerts to help spread malware
hacking

Hackers are using Google Alerts to help spread malware

22 Feb 2021
North Korea expected to increase cyber attacks due to COVID struggles
hacking

North Korea expected to increase cyber attacks due to COVID struggles

22 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021