When the Petya malware arrived in Europe this week, it seemed at least at first like a repeat the WannaCry cyber-attacks in May.
The victims were running Microsoft Windows computers that had not been patched to close a vulnerability in the SMBv1 protocol. Microsoft issued the patch in mid-March, and since that time the company has released security updates for Windows versions stretching back to XP. Yet those computers remained vulnerable.
When the Petya malware emerged this week companies in Europe were the hardest hit, although some U.S. companies were affected as well. If there is any good news, it’s that the rate of infection seems slower than last time and the malware doesn’t seem to be as efficient at attacking across networks as WannaCry was. In addition, the lower rate of infection may be the result of organizations actually applying Microsoft’s patches on a timely basis.
But the obvious question has to be, why aren’t some companies bothering to fix their Windows operating systems, even in the face of an obvious threat? The excuses are many. Some IT managers worry that a patch may somehow break something in their IT environment. Others don’t have the resources to do their jobs. Some organizations don’t have an actual IT staff, while in others work with shadow IT environments in which nobody really knows what computers are systems they are running and which need maintenance.
All of those problems have solutions, although in a couple of cases the solution lies outside of the IT staff. For example, when the IT staff doesn’t have the resources to fix their own systems, it speaks directly to C-level incompetence.
A CEO or CFO who fails to allocated the funds necessary to pay for essential resources needed to maintain at least adequate basic levels of cyber-security is too blind to the need to bolster their organization’s cyber-security shouldn’t keep their jobs. The stockholders of companies that got hit by the likes of Petya and WannaCry should be screaming for blood at the next annual meeting.
For those organizations where there are sufficient resources, but IT management was unwilling to update their software, then the incompetence is at that level. Considering that there have now been malware attacks lasting for years that depend on vulnerabilities in out-of-date and unpatched operating systems, there simply is no excuse for failing to find a way to patch those systems. Yet the excuses continue.
What’s really going on is that the top management in the IT shop either doesn’t know how to manage patches, or they’re woefully out of touch with the requirements to run a secure enterprise environment. The problem with being out of touch may mean that may mean that management is in a state of denial, thinking that it won’t happen to them. But of course, eventually, it will.
For companies without any real IT organization, the only real solution is to find an IT contractor with a good track record. Fortunately these are common in most cities. While it costs money to hire a security contractor, it’ll cost a lot less than it will to recover your systems after a malware attack. This really boils down to doing a cost analysis of what it will cost to hire help, versus what it will cost to go out of business, perhaps forever.
Dealing with shadow IT is thornier. There, the IT organization is weak, perhaps intentionally so, and the employees have found ways to do it themselves. It takes a while to overcome the cultural impact of such a situation because some of the employees won’t want to surrender their roles. But if the company is going survive after a malware attack, it’s necessary. Perhaps the best way to overcome cultural barriers is by including the staff that’s doing the shadow IT into the process of creating a real solution.
Then we’re back to the IT department and the excuses, whether they come from the IT managers or a higher level. This may be the time to present the need for improvement to upper management and to do so using real examples from WannaCry and Petya.
It’s fairly easy to quantify the cost of such attacks as they would be applied to your company, and to explain how your security, as good as your management thinks it is, isn’t adequate without proper patch management.
If your C-level executives are so focused on the bottom line at the end of the quarter that they can’t see the risk, then it may be possible to point out that they’re willing to pay for locks on the doors and fire suppression in the computer room—unless of course they’re skimping on those too. Then there are really only two possible options, first to find a way to let your investors know the risk and the second is to reduce the risk to you by leaving to find a job at a company willing to support adequate levels of cyber-security.
And that brings us to the last option, which is to remember that skilled and experienced IT staff jobs are going unfilled in vast numbers. Moving to a company that’s not run by idiots may be your best option. But in either case, the time for excuses has ended and it’s now time to actually find a way to fix your enterprise IT vulnerabilities.