WannaCry: A Lesson in Cybersecurity Basics

On March 14, 2017, Microsoft released a critical patch to address a security vulnerability on its Windows operating system. On May 12, eight weeks later, the WannaCry global ransomware attack exploited that exact vulnerability, impacting over 230,000 computers in more than 150 countries that did not yet have the patch installed. It seems that a lesson in cybersecurity basics is overdue.

Given the high-profile attacks on Home Depot, Target, Ashley Madison and others in recent years, it is surprising that so many organizations neglected a simple software update. While an increase in the sale of cyber-liability insurance following WannaCry is likely, the insurance industry can play a key role in educating consumers on key steps they can take to prevent them from filing a claim.

But first, it is important to understand why it is easy to ignore installing patches and updates in the first place.

The path of least resistance

People usually do what is easy, and keeping computer systems up to date can be anything but. In a joint University of Edinburgh and Indiana University study, just 21% of participants reported a positive experience with running software updates. Windows updates are often a particular pain point, occurring monthly. Specific complaints about installing updates include:

• Too long to install
• May introduce compatibility issues with third-party software
• While updates and patches are typically free, the IT personnel required to install them are not

As a result, some organizations may delay updating their systems. Funding and compatibility issues were both cited as factors explaining why Britain’s National Health Service (NHS) was vulnerable to WannaCry.

Update overload

Software updates are not always straightforward – Microsoft’s release on March 14 consisted of 18 individual installations, and even IT professionals and security experts struggled to identify which ones were truly necessary. One security company posted a blog on the most important updates to install, but omitted the one that addressed the WannaCry vulnerability.

And that is just for Windows. Employees often rely on third-party programs to do their work, and most of those have regular updates as well. As cyber threats evolve, managing software updates while ensuring that computer systems still function as expected is a challenge that will only become more complex over time.

Lag time

One research project studying 8.4 million computers showed that from the time a software update is released, it takes users with at least some computer expertise an average of 24 days to perform the installation. For non-expert users, as many as 45 days can pass before even 50% of them do likewise.

Even more worrying, many organizations (including Britain’s NHS) still use older versions of Windows such as XP – versions that Microsoft no longer supports or updates, making it even easier for hackers to compromise them.

The lesson of WannaCry

The hard lesson learned is that running updated, patched software is a necessary part of any cybersecurity program, complementing other tools such as firewalls, password management and employee training (many of which are detailed in resources available on CSIO.com). The insurance industry can play a role in educating customers about ways to minimize cyber risk, limiting and perhaps even preventing attacks like WannaCry in the future.