As the global WannaCry ransomware attack began spreading to computer systems around the world on May 12, Microsoft president Brad Smith quickly responded by publicly blaming part of the problem on businesses which don't keep up with critical security patches, leaving their systems vulnerable to attackers.
Smith's comments came in response to critics who had blamed Microsoft for leaving systems vulnerable in the first place by not doing enough sooner to assist customers and for ending security patches for older operating systems such as Windows XP and Windows Server 2003. Many enterprises, including hospitals and a wide range of businesses, still rely on systems running older operating systems or embedded operating systems, leaving them open to hackers and ransom attacks.
The problem with that argument, according to several industry analysts who spoke with ITPro, is that Smith and Microsoft are right this time to criticize IT administrators and their companies that are failing to keep their systems patched and updated.
Smith said the attack provided graphic evidence about "the degree to which cybersecurity has become a shared responsibility between tech companies and customers." The spread and disruption of WannaCry "is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support." But Smith didn't stop there. He also blasted the way government agencies have handled sensitive security disclosures.
That's not wrong at all, Charles King, principal analyst with research firm Pund-IT, told ITPro.
"For all intents and purposes, I'm with Brad Smith on this," said King. "Microsoft sent customers a 'critical' advisory along with a patch to fix the vulnerability on March 14, a month before The Shadow Brokers released the attack vulnerability that ransom-ware hackers exploited." In addition, Microsoft also took the very unique step of recently releasing security updates to address the vulnerability for Windows XP and Server 2003, even though they are both years past their Extended Support lifetimes.
"It's hard to imagine what more Microsoft could have done," said King. "That people are attempting to lay blame on the company says volumes about them, and about the curious view that some have of software vendors in general and Microsoft in particular."
In addition, if critics want to point a finger, "the NSA which reportedly discovered the vulnerability and then failed to warn hospitals and other organizations is a better target than Microsoft," he said. "But the fact is that many or most of those affected by WannaCrypt had the chance to secure their systems and failed to do so. "
Another analyst, Dan Olds of Gabriel Consulting Group, said Smith makes a reasonable argument in saying that business must do a better job of defending themselves as well.
"Customers have to take at least a little responsibility for their own security," said Olds. "If they don't have an automatic update mechanism and they don't apply patches manually, they're going to be at risk – it's as simple as that."
Lots of users, particularly those who are overseas, don't use automatic updates and leave their systems vulnerable, he said. "Many of these same folks are running systems with outdated operating system versions. I can see this happening with individuals, but can anyone in their right mind use an unsupported version of an operating systems on a banking or hospital system? That's insanity."
Since Microsoft offered patches for this vulnerability before the attacks took place, "then it's on the users to apply those patches for their own safety," said Olds.
Jan Dawson, the chief analyst with Jackdaw Research, said "the reality is [Microsoft has] done everything it could to get people to upgrade, to provide patches for recent versions of Windows, and so on. At some point, organizations which don't update or patch their software even in the face of a steady stream of security threats can't expect their suppliers to fix things for them."
Rob Enderle, principal analyst with Enderle Group, agreed.
"Microsoft rushed out a patch before the attack which is pretty much all they can do," said Enderle. "People didn't patch and a huge number of those hit were running versions of Windows that were either way out of date or pirated. Even so Microsoft did attempt to patch what they could at a massive cost to the firm."
Ultimately, "Microsoft will take a lot of heat for this, but in this instance, they performed as rapidly as they could, they have a right to be [angry]."
The attack has reportedly hit 74 countries including the U.K., U.S., China, Russia, Spain, Italy and Taiwan. Windows 10 was not affected by the WannaCry attacks.