show image

The worldwide cyber-attack demonstrates a lack of security culture

IT professionals will have come to work this morning amid warnings following last week’s cyber-attack. Late on Friday morning stories started to emerge about the National Health Service being compromised by a ransomware attack. By the evening it was apparent that the incident was worldwide. The latest reports suggest 150 countries worldwide have been hit.

The UK press will inevitably continue to portray this as an NHS cyber-attack. To get to grips with what’s really happened it’s important for the specialists to put that idea out of their minds. 150 countries have not been hit by a targeted cyber-attack on a single-country organisation, however important it may be. The NHS has been caught in the slipstream of a worldwide assault.

An assault which could have been rendered completely ineffectual.

Updated software stops cyber-attacks

It feels peculiar to be writing something so basic but it seems necessary. In the same way that journalists end up writing things like “don’t use your partner’s or pet’s name as your password” with a sinking feeling that people shouldn’t really be doing this anyway, we’re now having to write “keep your systems up to date”.

Specifically, a lot of the computers that allowed the latest breach to happen were running Windows XP. That would be the system released on 24 August, 2001. That would be nearly 16 years ago.

Consider for a moment any other pieces of machinery or work equipment that age. If you had a fleet of vehicles and hadn’t run maintenance schedules on them, you’d expect them to be falling to pieces. If you had medical equipment that wasn’t updated and maintained for a decade and a half you’d be worried.

And yet something in the culture of the IT professional has said it will be OK to be “getting around to” updating the computer systems. This is a system that Microsoft declared would be unsupported – no security updates, nothing – in 2014. In April the same year, Private Eye ran a piece saying this was a crisis waiting to happen (it’s not online but it’s in the 18 April edition if readers happen to have an archive handy).

Not political

And yet the crisis hit and we’re threatened with continued difficulties.

We need to be clear. A number of commentators with political motivation have said this is due to the NHS not having the money or other resources to keep systems up to date. That may be a factor but it doesn’t explain how 149 other countries were hit by the same thing.

The underlying difficulty (other than some criminals not caring who or what they hurt, which is a given) has to be that although IT professionals know perfectly well that a 16-year-old system will not stand up to the current environment, a handful think it’s OK to stuck the update on the do-list and assume it will take care of itself.

It isn’t. It won’t. And that’s why the problem has been so huge.