When the Petya malware arrived in Europe this week, it seemed at least at first like a repeat the WannaCry cyber-attacks in May.
The victims were running Microsoft Windows computers that had not been patched to close a vulnerability in the SMBv1 protocol. Microsoft issued the patch in mid-March, and since that time the company has released security updates for Windows versions stretching back to XP. Yet those computers remained vulnerable.
When the Petya malware emerged this week companies in Europe were the hardest hit, although some U.S. companies were affected as well. If there is any good news, it’s that the rate of infection seems slower than last time and the malware doesn’t seem to be as efficient at attacking across networks as WannaCry was. In addition, the lower rate of infection may be the result of organizations actually applying Microsoft’s patches on a timely basis.
But the obvious question has to be, why aren’t some companies bothering to fix their Windows operating systems, even in the face of an obvious threat? The excuses are many. Some IT managers worry that a patch may somehow break something in their IT environment. Others don’t have the resources to do their jobs. Some organizations don’t have an actual IT staff, while in others work with shadow IT environments in which nobody really knows what computers are systems they are running and which need maintenance.
All of those problems have solutions, although in a couple of cases the solution lies outside of the IT staff. For example, when the IT staff doesn’t have the resources to fix their own systems, it speaks directly to C-level incompetence.
A CEO or CFO who fails to allocated the funds necessary to pay for essential resources needed to maintain at least adequate basic levels of cyber-security is too blind to the need to bolster their organization's cyber-security shouldn't keep their jobs. The stockholders of companies that got hit by the likes of Petya and WannaCry should be screaming for blood at the next annual meeting.
For those organizations where there are sufficient resources, but IT management was unwilling to update their software, then the incompetence is at that level. Considering that there have now been malware attacks lasting for years that depend on vulnerabilities in out-of-date and unpatched operating systems, there simply is no excuse for failing to find a way to patch those systems. Yet the excuses continue.
What’s really going on is that the top management in the IT shop either doesn’t know how to manage patches, or they’re woefully out of touch with the requirements to run a secure enterprise environment. The problem with being out of touch may mean that may mean that management is in a state of denial, thinking that it won’t happen to them. But of course, eventually, it will.