We've just had the one year anniversary of the WannaCry cyberattack, a ransomware attack which affected millions of computers in homes and businesses around the world, encrypting vital data and impeding system function. The most notable victim was, of course, the UK's National Health Service, where many clinics running on unsecured computers had their systems frozen. The NHS has since announced a £150 million investment to bolster its cyber-security defences.
Three months after a “lessons learned” report from the Department of Health and Social Care advising on the need for critical security patches, there remains much work to be done to secure critical infrastructures from cyber-attack. The Department is still coming under fire for not knowing what the proposals will cost, or when they will be implemented.
Many clinics and hospitals relied on computers that were insecure or not recently updated with the latest security updates, which left them vulnerable to the attack. But why did so many practices find themselves running on unprotected, outdated software for so long, and with such dangerous consequences? The answer lies in the way software and hardware products are usually bought by big organisations.
Many organisations purchase their large-scale IT infrastructure on an ad-hoc, product-by-product basis. Systems are updated as and when staff notice a need and feel there is time to make a change. In large, high pressure organisations, this can be infrequent – especially those like the NHS, where staff are under huge stress and time pressure – as are their systems.
In many cases, patches are not installed regularly enough – sometimes operating systems are only fully updated once every decade. But using software that is no longer supported by the manufacturer effectively puts a target on the back of organisations for malicious hackers. The problem is growing even more pronounced as hacking becomes more automated, allowing attacks to be carried out on a large scale and at an unrelenting pace.
In high-pressure working environments, IT and particularly cyber-security are often an afterthought, or a siloed department. But the cyber-attacks on various companies and organisations we have seen over the last year demonstrate that IT should be at the forefront of operations planning in any large organisation of national importance.
One way to tackle this problem is to change the relationship between organisations and the software and hardware providers they buy from. Many rely on Enterprise Agreements (EAs) whereby vendors agree to sell a specified amount of software and hardware over a certain timeframe. But EAs have been evolving in recent years to offer more support to customers. Many EAs have expanded to include security and software updates.
Large and complex organisations need EAs with a Software as a Service Offering, a contract between customer and supplier whereby hardware and software are fully supported on a rolling basis.
Instead of companies simply buying IT infrastructure from a provider and then having to update, maintain and replace it themselves, under an evolved EA this is largely the vendor's responsibility. To ensure the best user experience and encourage users to renew, it is always in a vendor's interests to ensure that their customers are making use of the most up-to-date versions of their software. Vendors can then manage the continued maintenance of these systems. This takes away the burden domestically maintaining systems over a vast and sprawling business network of different systems.
The WannaCry attack, and many high-profile cyber-attacks that have followed in the past year, have highlighted the intense need across all organisations to put cyber-security first. But in high-pressure environments where staff have little bandwidth to update systems, a new kind of agreement is needed to guarantee sustained protection.
Contributed by Ben Boswell, VP Europe for World Wide Technology.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.