Protecting against ransomware requires up-to-date operating systems

The WannaCry malware attack last month has woken up business leaders to the importance of keeping computer operating systems up to date. Companies across industries were affected by the ransomware attack, in which users’ data was held hostage. The business disruptions were severe in some cases, but the greater lesson from this episode is how much worse it could have been if a “kill switch” hadn’t been discovered relatively soon after the attack. Across essentially all industries, business would grind to a halt if data on products, customers, vendors, and business processes became unavailable.

The key point about WannaCry is that it exploited an operating system vulnerability that had been discovered — and fixed — earlier this year, for those who installed the updates. Modern operating systems incorporate sophisticated identity and access management technologies that, when properly implemented, greatly reduce the threat of unwanted access. But flaws in complex software will be found, and when they are they must be fixed immediately.

It’s odd that such a basic need is so often ignored, but not especially surprising. Since the dot-com crash in the early 2000s, there’s been a general malaise among IT departments concerning their perception of the significance of operating system maintenance for both client devices and servers. We estimate that a typical organization is two to three major operating system iterations behind.

One reason for this is reluctance to upgrade from a system with familiar features and interfaces. Another reason is software used in the organization’s various lines of business may be incompatible with modern operating systems. IT managers often lament they can’t envision updating an operating system for as many as five years from present because it’s so difficult to update or replace older, legacy applications.

In those situations, the organization needs to make a priority of upgrading or replacing the legacy software. The risk of delay is just too great. Often, this fact is obvious to IT managers but not to other leaders in their organizations, who might prefer to channel IT budget dollars toward more glamorous purposes.



WannaCry should serve as a wake-up call to business leaders to heed their IT departments’ pleas to ensure system software and configurations stay up to date. An analysis of high-profile corporate hacks can serve as a further wake-up call, because these also emphasize the centrality of the operating system in promoting security. For examples of 10 prominent corporate hacks, including their execution and resolution, see

All these stories in the news point to the importance of training staff to recognize abnormal activity and threats — but even more, to recognize that the single greatest impact on an organization’s security is an ongoing commitment to keep operating systems current and properly configured.

James Savage is founder and president of systems integrator and consulting firm Concurrency Inc.

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.