An inevitable ransomware disaster?
Unless you’ve been living under a rock, you can’t have failed to hear about the huge ransomware attack which has happened around the world in the last few days.
The most high profile casualty in the UK was the NHS, with all of the awful consequences that can have for people who need health care without the delays, dangers and downright frustrations of computer issues getting in their way.
Having had a weekend to sort things out, much of the initial problem has been dealt with, but today sees workers returning to computers which may not have been switched on when the problem first arose on Friday and which could re-start a chain of events again today when fired up.
Sadly this event is no surprise (without wishing to sound like a ‘we told you so’, we wrote about this spectre specifically in February this year).
The most important thing that can happen now is learning! This is a case study in what happens when you do not keep systems up-to-date. The vulnerability in Microsoft Windows which allowed these ransomware attacks to happen was dealt with by Microsoft in March. A patch was issued which would have updated any PCs which are set to auto-update or which were manually dealt with by their owners or users.
That’s not to say anyone who didn’t patch machines was being lax. Big organisations have to be cautious about adding updates, in case they cause unintended consequences or don’t play nicely with other software.
This is the problem for large parts of the NHS, which has a lot of ageing but critical specialist software. You can’t always just apply an update to a multi-million-pound scanner and expect it to keep working.
However, you can and should put a higher priority on the less complex but still crucial systems, like appointment scheduling and patient records. A failure to invest in upgrades across much of the NHS has ultimately made the organisation vulnerable. As of last Christmas it was reported that 90 per cent of the NHS was still reliant on Windows XP – an operating system which had its manufacturer support removed three years ago.
To be clear, this wasn’t a sophisticated attack on national infrastructure. It was done using widely available software and didn’t rely on any clever social engineering tricks, just that your computer hadn’t been patched against the vulnerability.
The learning here is to:
- Keep your machines up-to-date wherever possible and as quickly as possible when patches are released, or hand that job over to a managed service provider (like Bespoke Computing) to manage for you;
- If you can’t apply patches (or daren’t, for the reasons outlined above), get some professional help to identify what you can fix and what needs to be attended to in the medium to longer term to negate any further risks (like replacing older systems in a managed way which avoids disruption);
- Make sure staff are regularly reminded of computer security best practice, because they are the biggest risk if they open dangerous emails or are not careful in a myriad other ways which can allow attackers into your systems.
Hopefully this will make lots of organisations and businesses and their leaders take this issue really seriously now. We and our peers in the IT sector have been warning about a mass incident like this for a long time but we take no pleasure in being proved right. We’d just like to see the attackers more easily defeated by good practice across the board.
If you have been affected or are concerned that you are not properly protected against highly disruptive threats like this one, feel free to give us call for a chat today.