For the 200,000-plus victims of the WannaCry ransomware attack, a short period of blame was replaced by awareness of the reality that complacency creates vulnerability.
The malware exploited weaknesses in Windows XP, and while Microsoft did offer a patch prior to the attack, the price of “custom” support for unsupported Windows XP users was $1,000 a year (the patch has since been issued free).
Becky Pinkard, vice president of service delivery and intelligence at data consultancy Digital Shadows, says WannaCry was a wake-up call for those who thought such attacks only happened to banks or point-of-sale devices.
“This is not a new type of attack,” she says. “We’ve seen worm events from the early 2000s, including things that propagate much more quickly. We’ve seen things that are certainly just as damaging with regard to the encryption and potential of not being able to get your files back at all.”
Advising that any organization with connectivity presents hacking opportunities, Pinkard says problems arise for more complex enterprises that may operate globally and are highly disparate in terms of how they work and interact.
“We can’t say, ‘Get this system and you are going to be good for 10 years, and eight years into it you need to start to plan your next purchase again,’ because of the variety of systems and complexity of applications used on the system,” she explains. “Businesses are always merging or acquiring, getting contractors, releasing consultants, changing projects, getting new budgets, releasing budgets—all of those things are just the tip of the iceberg that impacts a security budget and the way security can be tied into the IT setup and infrastructure.”
Moreover, with technology continually changing, she says the challenge is for people to understand that a patch doesn’t make it go away. It’s not a point-in-time fix. It’s something that requires ongoing attention and security maintenance.