Slap a patch on it

So it happened. A large chunk of UK infrastructure got hit by a major cyber security attack.

By 'attack' I don't mean something specifically targeted against the NHS in the UK. Indeed, it seems the WannaCry ransomware virus spread globally and hit a wide range of systems. However, targetted or not, if your systems are affected, even opportunistically, you're under attack.

The fact that this attack wasn't targeted is what makes it so serious. If someone is making an actual, determined effort to attack you, then they're going to be looking for the chinks in your armor. If on the other hand the attack is opportunistic, then no-one was actively looking for those loopholes. Instead, they simply knew that a wide range of systems out there would be exposed to a particular security bug.

The fact that the security vulnerabilities in question already had patches available, demonstrates the importance of keeping systems up to date in a timely manner.

Patch management is just one of many important angles to cyber-security. It's just as important as investing in good firewalls, good anti-malware, and good security policies. Without patch management, even otherwise secure systems can become vulnerable.

No-one should be under any illusions here. It's entirely possible that systems impacted by WannaCry did have anti-malware installed, were sitting behind firewalls. They still got hit, because this one crucial area of cyber-security was neglected.

Lets get the obvious stuff out of the way first. Keeping systems up to date means not using old operating systems. Windows XP is now fifteen years old. Microsoft had already patched the vulnerability that WannaCry exploited, but last week Microsoft took the highly unusual step of also releasing the patch for Windows XP, and Windows Server 2003. That's the right thing to do in a world where so many people still run these operating systems. It's also something they shouldn't have to do.

It's time to wake up to the simple and obvious risk-equation that the costs involved in upgrading your systems is small fries compared to the costs involved in those systems going down through a cyber-attack.

It's also a simple and obvious equation that the costs involved in investing in security are focussed on preventing the much more costly outcome of a breach. Many organisations spend huge amounts of money on Disaster Recovery solutions. Usually this is to deal with the possibility of -say- a fire. These risks are far less likely compared to a cyber-attack. Even if we factor in arson, how many people -right now- are actually trying to set your server room ablaze? How many people are engaged in activities that -targeted or otherwise- could compromise your systems? Remember, it's a big internet out there. Unlike with arson, a cyber-criminal could be on the other side of the world.

It's not good enough to assume you're too small a target. WannaCry should act as a reminder that we're all a target, all the time. You don't get a cold because the cold virus 'chose you'.

Investing in good patch management is pretty basic stuff. Even on modern operating systems like WIndows 10, keeping your systems verifiably up to date is vital. It's not a panacea, but then nor is anti-malware or firewalls. You need a range of technologies working in combination to have robust security. This should always be combined with good training for users to ensure they aren't the weak link.

In the meantime, it's important to not slip back into complacency. This latest attack will fade as systems are cleaned, and it slips from the headlines, but the next attack could be just around the corner. With success comes confidence. Right now many hacking groups could well be feeling pretty overconfident. So, defend yourself - together we can make a difference.