With the massive WannaCry ransomware outbreak over the last few days, and the fact that Microsoft actually released a patch that prevents its attack vector back in March, the question many are asking is, why on earth don’t organizations just update their software? It’s not that difficult. Consumers do it all the time. Well, as this blogger explains, it is not quite as easy as it sounds, and in many cases it comes down to cost. Within the world of IT the risks of unpatched systems are well understood, but the problem comes when one has to sell the costs associated with testing, installing and supporting updates to the system, CNC machine or MRI scanner to management or investors, especially since this cost is “just to keep the system the way it was before.”

The difficulty appears to rear its ugly head when weighing the rather large potential future cost associated with falling victim to ransomware or data theft, against the much smaller (but still significant) cost of service contracts and keeping software patched and up to date. Many executives, manufacturers and medical professionals who are not IT specialists simply lack the ability to assess the likelihood and massive impacts of falling victim to this type of attack, at least until it is too late. It’s human nature for current, real costs to sting more than future uncertain costs that may never happen at all.

The author suggests regulation as one answer. Require organizations key to healthcare, and key infrastructure to keep long term service contracts on their operating systems and software implementations, and better educate non-critical organizations such that they better understand the implications and factor them into the financial calculations associated with keeping software updated. With a little luck, this outbreak will serve as part of that education, and convince organizations to better prioritize and budget for security updates, but I’m not convinced it will. We humans have a long history of conveniently disregarding the unpopular and costly, and instead letting the pendulum swing between non-action and crisis-mode. Personally I have very little faith this will change anything, but I guess it doesn’t hurt to be hopeful?



First: We give entities better tools to estimate the costs of not updating to nudge them in the right direction. The problem with this is that many still will take the cheap road and just hope nothing breaks. Because it’s just software, right? If you don’t touch it, it will run forever!(which is the argument used by many software companies and automation experts to sell that whole shebang).

Discussion

Source: [H]ardOCP – Why don’t They Just Update?