A new study polled IT professionals about their response to WannaCry. The numbers aren't surprising, and that's not necessarily a good thing.
Enterprise automation company 1E recently released a report on the IT response to WannaCry. The report's findings are largely as expected, provided you expect reports on IT behavior to reveal lax security habits.
We've learned a lot about WannaCry since its outbreak two months ago. The most important may be that Windows patched its attack vector in March, which reveals quite a bit about what's in 1E's report.
From the fact that 86% of respondents weren't ready to 73% of management teams not making more cybersecurity resources available, the report underscores what many already know: Cybersecurity isn't the priority it should be.
Unprepared and forced to play catch up
The outbreak of WannaCry sent IT teams scrambling, at least according to 1E's report. As mentioned above, 86% of respondents had to take preventive measures to protect themselves against the malware despite the fact that Microsoft patched its target vulnerability in March.
Detection and patching of vulnerable systems took half of respondents up to a week, and a further quarter spent between a week and a month finding all their weak links. All of that work led to 47% of respondents putting in a weekend of overtime and 23% more putting in at least two weekends.
SEE: WannaCry: The smart person's guide (TechRepublic)
1E points out an interesting correlation between the number of respondents forced to take preventive measures and those who delay releasing security patches: It's the exact same 86% figure.
If you're part of an IT team that waits to push Windows updates and patches, that should definitely raise a red flag. There are plenty of reasons why patches get delayed, but in our current environment of constant cybersecurity threats there's no excuse for putting them off.
Where to place the cybersecurity blame
The IT vs. management conflict has been around for a while. If the respondents in the report are to be taken at their self-reported word then it isn't going anywhere.
Take this contrast as an example: 71% of respondents said WannaCry has led to an increased intent to keep systems up to date, but at the same time 73% said management hasn't made any additional resources available to make it happen.
SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)
74% also said that WannaCry left their organization better prepared to respond to future threats, but 87% said their organization isn't accelerating its Windows 10 deployment plans.
Only 11% of respondents said they've completely migrated to Windows 10. Up-to-date operating systems and security patches are an essential part of protecting a business from security threats. Windows 10 has been out for two years now, and with 98% of WannaCry victims running Windows 7, OS updates should be a priority.
Why they aren't is still up for debate.
Don't blame—take action
It's easy to see a study like this and feel overwhelmed. Time and again we hear of malware outbreaks fueled by missing patches, lax security, and old OSes. The knee-jerk response is to find someone to blame, but that's not a solution.
IT leaders need to become security evangelists—they're they ones in their organization who know the threats, how severe they are, and how easily they can get into a network and wreak havoc. But is that being communicated?
Security needs to be related to management in ways they can understand, namely how it connects to the general business mission as a whole. One of the best ways to do that is to frame security as a monetary investment—you have to spend money to make it, or in this case to protect it.
A few thousand spent on upgrades now might seem like a big budget hit, but it will pale in comparison to the lost productivity, ransoms, and damage caused by a malware outbreak.
Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.
- 86% of respondents were unprepared for the outbreak of WannaCry. This led to 70% having to put in weekend overtime to get caught up on missing security patches.
- 86%—the same percentage that were unprepared for WannaCry—said their organization delays the release of security updates.
- 73% of respondents believe that management has failed to give them the resources they need to stay current on cybersecurity.
- Ransomware attacks: Here's what we need to learn from WannaCry and Petya (TechRepublic)
- Ransomware: An executive guide to one of the biggest menaces on the web (ZDNET)
- How the GoldenEye/Petya ransomware attack reveals the sorry state of cybersecurity (TechRepublic)
- WannaCry: Why this ransomware just won't die (ZDNET)
- Massive cyberattack on US critical infrastructure will hit within 2 years, say 60% of security pros (TechRepublic)