Following the recent spate of ransomware attacks on businesses and government agencies across the world, the security press has largely focused on patching and updates as the key to protection against ransomware and malware in general. Thorough patch-management policies are an essential part of doing business online, but the push to patch ignores the fact that many enterprise organizations are not in a position to apply patches as soon as they become available.
The main vulnerability exploited by WannaCry and Petya, EternalBlue, was patched many months ago by Microsoft as part of a package of updates addressing NSA exploits leaked by the Shadow Brokers. Although most ransomware is capable of exploiting multiple vulnerabilities and other strategies to compromise machines, if the organizations affected by WannaCry and Petya had patched their machines, the likelihood is that they would have been safe from this set of attacks.
Beyond the specifics of recent attacks, patching is often heralded as the obvious solution to vulnerabilities, and those who are compromised are shamed for not having applied patches in good time. The implication is that organizations have not applied security patches because of incompetence, laziness, or some other variety of institutional failure.
But the fact is that many organizations are not able to quickly apply patches or to update to the newest versions of operating systems. Enterprise organizations move slowly. They have millions, and potentially billions, of dollars tied up in legacy applications that will not run on the most recent software. It’s easy to say that organizations should update, but when a legacy application provides critical functionality to the business and downtime is unthinkable, any updates have to be applied carefully after multiple tests or not at all.
To be clear, there are organizations that don’t have this excuse but fail to apply patches or adhere to basic security precautions, often because security doesn’t do much for the bottom line. Those organizations should be shamed, especially when their focus on cost-saving puts customer data and business operations at risk.
But for companies reliant on legacy software, crowing about updates isn’t helpful and it misses the point. It’s more reasonable to focus on a technique that guards against the worst consequences of ransomware: secure, off-site, and up-to-date backups.
While there are good reasons for an organization to avoid patching, there are no good reasons for it to avoid backing up. A backup is insurance against all manner of disasters, including ransomware. If a ransomware attack does make it through a company’s other layers of defense, that’s unfortunate, but the response is simply to restore the lost data from a backup.
The organizations that best weather malware attacks go beyond static data backups to hot and cold redundant systems housed in an offsite data center, allowing them to quickly switch to backup infrastructure while restoring primary systems, affording at least a measure of business continuity.
While patching is an essential part of modern IT security, it is not a replacement for secure backups. Given the hostility of the environment, every organization should strive to implement offsite backups as a key defense against ransomware.