NS Tech

The worldwide cyber-attack demonstrates a lack of security culture

FORT LAUDERDALE, FL - MARCH 07: Lt. Mike Baute from Florida's Child Predator CyberCrime Unit talks with people on instant messenger during the unveiling of a new CyberCrimes office March 7, 2008 in Fort Lauderdale, Florida. One of the people on the other side of the chat told Lt. Baute, who is saying he is a 14 year old girl, that he is a 31 year old male and sent him a photograph of himself. According to current statistics, more than 77 million children regularly use the Internet. The Federal Internet Crimes Against Children Task Force says Florida ranks fourth in the nation in volume of child pornography. Nationally, one in seven children between the ages of ten and 17 have been solicited online by a sexual predator. (Photo by Joe Raedle/Getty Images)

IT professionals will have come to work this morning amid warnings following last week’s cyber-attack. Late on Friday morning stories started to emerge about the National Health Service being compromised by a ransomware attack. By the evening it was apparent that the incident was worldwide. The latest reports suggest 150 countries worldwide have been hit.

The UK press will inevitably continue to portray this as an NHS cyber-attack. To get to grips with what’s really happened it’s important for the specialists to put that idea out of their minds. 150 countries have not been hit by a targeted cyber-attack on a single-country organisation, however important it may be. The NHS has been caught in the slipstream of a worldwide assault.

An assault which could have been rendered completely ineffectual.

Updated software stops cyber-attacks

It feels peculiar to be writing something so basic but it seems necessary. In the same way that journalists end up writing things like “don’t use your partner’s or pet’s name as your password” with a sinking feeling that people shouldn’t really be doing this anyway, we’re now having to write “keep your systems up to date”.

Specifically, a lot of the computers that allowed the latest breach to happen were running Windows XP. That would be the system released on 24 August, 2001. That would be nearly 16 years ago.

Consider for a moment any other pieces of machinery or work equipment that age. If you had a fleet of vehicles and hadn’t run maintenance schedules on them, you’d expect them to be falling to pieces. If you had medical equipment that wasn’t updated and maintained for a decade and a half you’d be worried.

And yet something in the culture of the IT professional has said it will be OK to be “getting around to” updating the computer systems. This is a system that Microsoft declared would be unsupported – no security updates, nothing – in 2014. In April the same year, Private Eye ran a piece saying this was a crisis waiting to happen (it’s not online but it’s in the 18 April edition if readers happen to have an archive handy).

Not political

And yet the crisis hit and we’re threatened with continued difficulties.

We need to be clear. A number of commentators with political motivation have said this is due to the NHS not having the money or other resources to keep systems up to date. That may be a factor but it doesn’t explain how 149 other countries were hit by the same thing.

The underlying difficulty (other than some criminals not caring who or what they hurt, which is a given) has to be that although IT professionals know perfectly well that a 16-year-old system will not stand up to the current environment, a handful think it’s OK to stuck the update on the do-list and assume it will take care of itself.

It isn’t. It won’t. And that’s why the problem has been so huge.