WannaCry: a lesson for any company with an aging estate and weak recovery
What the WannaCry attack reveals about the real state of patch management and recovery readiness in most organisations.
On 12 May 2017 one of the largest ransomware waves in history began. Within a few hours WannaCry infected hundreds of thousands of machines across dozens of countries - hospitals, transport companies, manufacturing plants, telecoms operators. Many were forced to halt operations.
Technically the attack exploited a vulnerability in the SMB protocol in Windows, for which Microsoft had released a patch in March - two months before the attack. Those who had applied updates in time were unaffected. Those who had not were defenceless.
This is not a story about a sophisticated zero-day attack. It is a story about patch management.
Why patches do not get installed
I will not pretend the answer is obvious. In real organisations there are several reasons updates get delayed or never installed at all.
Fear of breaking things. OS and application updates sometimes break compatibility. In production environments where critical systems must run without disruption, teams prefer not to take the risk.
An aging estate with no official update path. Windows XP stopped receiving security updates in 2014. But it keeps running in manufacturing plants, hospitals, and transport systems - because specialised equipment is tied to a specific OS version, and updating means replacing the entire system.
No process. No inventory, no schedule, no responsible owner. Updates happen when someone remembers.
Infrastructure that is not centrally managed. In companies with distributed offices and decentralised IT support, pushing an update to all machines is a project in itself.
What the attack revealed
WannaCry made visible something that had existed for a long time: a vast number of organisations operate with an unmanaged backlog of security updates.
Even more alarming than the infections themselves was what happened next. Organisations without proper backups faced a choice: pay the ransom or lose the data. Some paid. Some lost.
This is the second lesson: patch management and recovery readiness are not the same thing, but they must exist together. Patches reduce the probability of an incident. Backups determine how destructive the incident is when it happens anyway.
What this means for a leader
For a director or owner, this incident is a reason to ask a few direct questions to the IT team.
First: do we have a current inventory of all systems, including the age of operating systems and versions of key software?
Second: do we have a policy for installing security updates, and is it followed?
Third: what is our backup situation - how often are backups made, where are they stored, when was the ability to actually restore from them last tested?
Fourth: if a critical system were unavailable for a full day tomorrow - what are the business consequences and is there a plan?
On legacy systems
There is a separate uncomfortable question about systems that physically cannot receive updates. Industrial equipment running Windows XP, medical devices with fixed firmware, telecoms systems that have not been patched in years.
There is no easy answer here. But the minimum protective measure is segmentation: these systems must be isolated from the rest of the network to the degree that their infection does not propagate across the whole infrastructure.
WannaCry spread so fast precisely because inside corporate networks everything was connected to everything. Segmentation does not impede operations. It limits the scale of the catastrophe.