The reality is more complex than a simple morality tale about lazy admins not following best practice and then receiving their comeuppance when the inevitable security event occurs. If you talk to people that work in organizations where patches aren’t applied and server and client operating systems are getting old enough to get a driver’s license, you’ll hear groans of frustration about the changes that they know should happen being deprioritized by people further up the chain.
Non IT companies care little about IT
Most businesses don’t have IT as a focus. At best these businesses consider IT a utility in the same way that they think about their phone or electrical systems. The arguments by IT companies that “all companies should see themselves as IT companies” are seen as self serving at best and disingenuous at worst. In companies that don’t have an IT focus, operating systems, like phones, electrical systems, and photocopiers aren’t replaced until they don’t work or can’t be used to get the job done.
While the attitude of IT people is that newer is better than older and that one should always run the most recent version of everything, the attitude of people who count the dollars at non IT focused organizations tends to be a little different, even perhaps pragmatic. When prompted to upgrade or apply the most recent patches they ask “does the benefit of upgrading or patching justify the cost?”.
Whose job is it to make the horse drink?
You’ll hear people argue that it’s IT’s job to convince business decision makers of the correct strategy. To inform them of the risk of not upgrading. To carefully lay out the case why running a non-supported or unpatched set of operating systems and applications is a bad idea.
As the saying goes, you can lead a horse to water, but you can’t make it drink. You can tell management that they need to replace their old outdated systems until you are blue in the face, but from their perspective the equipment still works and there are other more urgent priorities for organizational expenditure beyond placating the likely reasonable concerns of the IT staff.
What to do when they don’t follow advice?
I’ve talked to people in that position who feel that their options at that point is to either keep working for the organization and bring it up again later, hoping to get a different answer, or to move on to an employer with a more enlightened attitude towards software updates and end of support timeframes.
The reality is that most people in this situation do eventually move on because the vast majority of talented IT people don’t want to work in an environment where the technology is archaic and management doesn’t listen to reasonable arguments from IT people. There are certainly people who are content to sit tight and not rock the boat, but most people are aware that they are harming their career by staying in a static environment and that they would have trouble moving elsewhere should it become necessary because they’d lack experience and knowledge of newer technologies.
There’s always a service provider who needs money
For these reasons, private companies that don’t upgrade tend to eventually have no IT staff. It’s also much cheaper for these organizations that don’t see IT as anything other than a utility expenditure to outsource IT tasks to a service provider.
A service provider may recommend that the organization upgrade and update, but ultimately it’s not their business at risk. Some service providers are unwilling to work with organizations that have unsupported operating systems and infrastructure. Others though, especially in an economy where workloads are being moved to the cloud and other IT type work is simply drying up, go with the motto that “the customer is always right” even if that means the customer is engaging in risky behaviour. These service providers ensure that backups are taken and that recovery apparatus are in place and charge appropriately to put out the inevitable fires that arise.
Not their first time on the cryptlocker merry go round
Depending on who you ask, between 50-70% of organizations have dealt with one or more cryptlocker type infections already ( https://blog.barkly.com/ransomware-statistics-2016 ). This means that while WannaCry has certainly impacted a lot of organizations, a great number of them have already been through the process of dealing with and recovering from a cryptlocker infection.
This gives them a more philosophical approach to this type of event. If it only cost X dollars to recover from that type of infection and business was back on track within a couple of days, then there is less impetus to move to the best and newest systems that are on offer – especially as you still end up with no guarantee that you’ll be immune from future attacks even if you are running fully patched new systems.
If they won’t take the lifeboat, doesn’t mean you shouldn’t
The reality is that if an organization hasn’t upgraded from Server 2003 or Windows XP or isn’t ensuring that updates are applied in a timely manner, then events such as WannaCry probably aren’t going to change things. Most organizations want to do the right thing, but simply have other things on their plate that take precedence, even over nasty cryptlocker infections that might gunk up all of their business critical data for a few days.
If you work in IT at such an organization, you aren’t doing your long term career any favors in staying there and you should aim to work at an organization that does prioritize what you do. What you should do is do your best to avoid environments where your skill set remains as unupgraded and as unpatched as the computers used by the people that work there.