WANNA CRY AND PERSONAL RESPONSIBILITY
The Users of Technology Also Need to be Held Accountable
What is the role of personal responsibility in the Wanna Cry attack?
There is no shortage of blame in the aftermath of the Wanna Cry cyber attack. Today alone I have seen blame lists that include the NSA, Microsoft, the technology industry, anti-virus companies, the criminal hackers themselves, and more. Every story needs a villain, and this one has many.
Unfortunately, what I have seen little of, is an acknowledgment that some of this was caused by “self-excused user ignorance.” The unwritten belief that one can keep using a system and if something goes wrong they not responsible because they do not understand the technology. This is completely devoid of personal responsibility. No other aspect of life would allow for this. Companies running five, 10 and in some cases 15-year-old operating systems have received multiple requests, warnings, and demands to upgrade, but have blindly gone about their business and are now reaping the returns of their ill-advised and irresponsible practices. How can this be blamed solely on the manufacturer? It cannot.
Factoid: while the number of infected machines is in the hundreds of thousands, the number of machines that had current patches properly installed is a lower number. In fact, as far as we can tell, it is zero. ZERO. Any blame for the ramifications of this attack must include user irresponsibility.
If you are responsible for your own system, and you failed, shame on you. You had plenty of warning. Windows 10 has been out for two years. Windows updates have been out for months. All major anti-virus software had been patched to prepare for this outbreak. If you are a small business or independent contractor responsible for client data, and that client data has been compromised, you need to take responsibility for your inaction.
IT Department Failure
If you are an IT department that has neglected this, it is hard to have sympathy for you. You have failed the first directive. You have not protected your users nor your enterprise. FAIL. At what point was running a five, 10, or 15-year-old antiquated operating system supposed to not be okay? There is no good excuse for an IT department to allow vulnerabilities like this to exist. No matter how system critical a platform as, failure to protect it is never acceptable.
Budgets? I have heard this one several times today. Running a five, 10, or 15-year-old operating system year in and year out when Microsoft has offered to give you, for free, the replacement software makes the whole budget argument pretty lame. Yes, it costs money to maintain networks properly. It costs a lot more to restore them after an unnecessary and neglectful crash.
Now that this has occurred, the “we can’t afford”, “we don’t have the time”, and “maybe next year” excuses will suddenly vanish. Where was that resolve last week?
Self-excused User Ignorance
Not understanding technology is an invalid excuse in business. I have no idea how an automatic transmission works, yet I’m responsible for driving a vehicle that has one. I have no idea how many of the technical marvels in my business life perform their various functions. However, in each case, I am responsible for their execution, and for my ability to honor my commitments when I depend upon them.
Breakdowns occur all the time. They are a fact of life and of business. We are measured by how well we avoid them, and how well we respond when we encounter them. There is a difference between getting a flat tire on a well-maintained vehicle, versus driving an unsafe vehicle with four bald tires, knowing they are bald, refusing to do anything about it, then blaming Michelin when the inevitable nail takes you out, and perhaps others with you.
Microsoft today said that this was a wake-up call for governments and their behaviors. I completely agree with this assessment. However, it is also a wake-up call for individuals and businesses to be more accountable for maintaining minimally acceptable standards of security. Not to do so, as we have seen, can put the entire enterprise at risk.