The Lessons We Learned from WannaCry about Unsupported Software
By Jorge Rodriguez
The recent WannaCry ransomware attack made headlines around the world because of a security vulnerability that's scarily not uncommon. The WannaCry worm targeted Microsoft operating systems that did not deploy the latest patches and also older versions of Windows that are no longer supported by Microsoft (and didn't even have a patch to deploy).
Upgrading and patching systems are always recommended to protect your supported products, and many are available with a quick click of the mouse. But what about the solutions within your organization that might have been sunset and are no longer supported by the vendor?
The fact is, out-of-date, unsupported software is still widely used within major enterprises, and those legacy solutions could very well be driving an organization's most critical operations, putting the business at risk of a major infiltration where data could be ransomed for much more than $300 in Bitcoin.
Sadly, hundreds of thousands of organizations in 150 countries learned the hard way a lesson other businesses still may not fully understand: Outdated, end-of-support software opens you up to hacks that can irreparably damage your infrastructure and your brand, especially if that software manages the transfer and integration of business-critical data, including that of your customers and trading partners.
While we're talking about very different pieces of technology here than were accessed via WannaCry, the point is symptomatic of a larger issue. The affected enterprises were unaware of (or apathetic to) the fact that their Microsoft operating systems were at risk. Similarly, enterprises' unsupported managed file transfer (MFT), EDI, and integration solutions also are at risk without the vendor actively sustaining them.
Critics might say replacing these legacy solutions would be complex, disruptive, and/or expensive, but what would they say if some piece of malware was choking their data flows and holding the business hostage?
Nonetheless, there are a few lessons businesses can learn from the WannaCry exploit when it comes to their critical MFT, EDI, and integration technology:
- Legacy solutions are inherently risky: The top-level decision makers within every enterprise must understand the risks of running unsupported legacy solutions and build avenues to address them. This could be as simple as renewing a support contract to seamlessly access patches or as substantial as replacing the out-of-date solution.
- Employees are part of a secure integration strategy: Hackers reportedly tricked victims into opening a malicious attachment from spam email, which granted unauthorized access rights and triggered the WannaCry attack. Trained, aware employees are keys to an enterprise-wide security plan, and your integration solution must be simple enough for them to use, but secure enough to protect the data and the organization.
- Your business model might be outdated, too: Global enterprises require their systems to remain stable and accessible without costly migration processes every few years. Perhaps it's time to consider a cloud or managed services option, where your critical integration technology is run in a secure environment by experts.
Businesses continuously fight off WannaCry-like exploits from all directions, and eliminating the weaknesses exposed by unsupported software is no less essential in the pursuit of a secure IT infrastructure. It's also a good idea to address any such vulnerability sooner than later, especially considering experts predict that subsequent attacks will only get worse.