WannaCry is a wake-up call for the excessive numbers of companies needlessly dragging their feet over Windows 10 migrations. Certainly since Friday, we’ve seen an upswing in interest from companies hoping – suddenly – to accelerate the migration process, or automate their patching processes.
No doubt about it, the attacks gave a vivid illustration of something we have been saying for some time: stay current on your software updates. By running a very out-of-date operating system like Windows XP, Britain’s NHS and thousands of other companies left themselves wide open to attack.
The NHS might be thought to present a special case in a number of ways – it’s a government organization, it runs medical devices, etc. What does the bigger picture look like, regarding OS deployments in large organizations? Well, last month, we released a report, The State of the Migration: Enterprise Windows 10 in 2017, based on a survey of more than 1,000 U.S. IT professionals.
We wanted to know – specifically – where everyone’s Windows 10 migration was at, how long they were taking (or were expected to take), and how they were planning to get there.
Certainly, the wider migration to enterprise Windows 10 is in motion. However only 6% of respondents from companies of 50,000+ employees said migration was complete, and 64% of respondents said that they expected their company’s Windows 10 rollout to take more than a year. That’s a long time when you consider exposure to things like WannaCry that are addressed by the 17 (and counting) new security features in Win 10.
The irony is, then, that even in their effort to ‘stay current,’ and get onto a more secure operating system in the form of Windows 10, the length of time required to complete the upgrade – coupled with the rapid release cadence of Windows 10 – means that large organizations can easily end up running multiple versions of the operating system at once, including several desperately out-of-date ones.
Having an up-to-date operating system is crucial, of course. There are no guarantees, but in features such as Device Guard, Credential Guard and Secure Boot, users are safeguarded by additional lines of defense simply not available on Windows 7 (let alone XP). Windows 10 shouldn’t just be construed as a hurdle to get over, however. Getting there also presents an opportunity for a smoother, more automated IT infrastructure that safeguards against the kind of anachronism and vulnerability WannaCry has taken advantage of.
What is required here is no less than a cultural shift in the heart of enterprise IT. Organizations who are of the mindset that software updates, patches and upgrades can be delayed need to instead make it a habit to implement updates as soon as they are available. Newer versions of software mean more secure software, yes, but it also means better software. Your enterprise has paid for it, after all, why not take advantage of it?
Yes the update process can look frighteningly expensive and time consuming. But that’s when automation can and should be called upon. Automation can ensure updates run like clockwork, without disrupting the business. An automated OS deployment leaves you with an infrastructure able to keep up with other software updates, and vice-versa. In addition, when all updates are in place, large migrations such as the one to Windows 10 become much easier.
No one is trying to convince anyone that this kind of cultural shift is itself a cure-all. But it will make companies a hell of a lot more secure, and may protect yours from the next variation of WannaCry.
What should companies do now, today, in the face of the WannaCry threat? As you read this, your Board of Directors is probably asking your CEO what’s being done to reduce exposure. Your CEO will in turn ask the CIO, who may in turn ask you. Here’s what we recommend:
- Make sure you have a process in place to periodically report on whether software on all devices is current or not. As part of this, look at which software was purchased and which was not. The software your organization purchased is less likely to be a security risk, so focus on the rest first. And specifically look for devices running SMB1 and disable them.
- Put in place the systems required to automate future software updates. Taking this off of IT’s plate leaves them with time to focus on non-routine things, and ensures updates are completed in a timely matter rather than delayed by other priorities requiring IT bodies.
- Inevitably, hackers will still get through – make sure you have the ability to respond to threats – by issuing patches, for instance – in real time across all devices, rather than in waves over the course of days or weeks.