The ransomware attack that is underway world-wide is concerning on many levels. The mainstream news media have correctly reported on the harm it is causing, by impacting large organisations like the UK’s National Health Service (NHS). However, there has been less reporting about the sub-standard IT support practices in place in some of these organisations.
Microsoft Patching Importance
The ransomware attack exploits a Microsoft vulnerability in their operating systems. This was patched back in March 2017 by Microsoft, and available via Windows Update for supported versions. The question I would be asking the NHS is how up to date is their Microsoft patching, and why are they not up to date, and whose responsibility this is ? I understand that patching a supported desktop fleet is major undertaking. However, I would have more sympathy if the ransomware attack exploited a new Microsoft vulnerability, for which no patch existed at that time.
NHS Running Windows XP Still – Really ?
I have done email migration consulting for healthcare providers, and have often encountered very poor IT management, coupled with use of out of support desktop Operating Systems like Windows XP. For example, Microsoft have not patched Windows XP as it is out of their support – something every company who uses it will be fully aware. Whilst checking the latest information on the NHS being hit, it turns out that they are still using Windows XP – I find this unbelievable !! Furthermore, my thoughts are that the NHS IT Management need to answer to the question: “Why are you running Windows XP which is unsupported by Microsoft, and therefore exposed to malware attack ?”. This is on the scale of criminal negligence, in my opinion.
This attack has demonstrated the impact of a massive malware attack on an IT environment that is not patched up to date. I would like to see accountability for those responsible for patching in each business. Let’s see some hard questions being asked.
I would like to see a balanced reporting on this story that covers all the facts. The NHS have indicated that people’s lives have been put at risk – malware attacks are not new, and sadly, neither is poor IT operational management. I have singled out the NHS for this story, but the same questions apply to other organisation’s affected.
Read more on the impact at the NHS here.