By: Act! Blog | 6/20/2017
The May 2017 cyberattack known as “WannaCry” was one of the most far-reaching ransomware attacks in history, affecting hundreds of thousands of computers in more than 150 countries. Victims of the attack included the British National Health Service, FedEx, the Russian Interior Ministry and Spanish telecom giant Telefonica. That attack cost those businesses more than money—it also eroded the trust their clients and customers had placed in them, damaging their brands and hurting their reputations.
What’s especially vexing about this ransomware attack is that it could have been avoided. All the victims of the attack would have needed to do is install a Microsoft update in March—one which would have fixed the security flaw which left them vulnerable—but hundreds of thousands of businesses didn’t, which has security experts asking “Why?” Why, when critically important security updates are made freely available do so many users not take advantage of them?
Several recent studies have found that a surprisingly large number of people, including security experts and software engineers, either take weeks to install critical software updates, like the one which would have prevented the WannaCry attack, or don’t install them at all. Here is just a sampling of what those studies found:
Updates Are Confusing and Interrupt Work
The companies which put out software updates are partly responsible for the lack of attention users give them. Here are 3 of the top reasons users don’t install recommended updates:
How Software Companies Can Help Solve the Problem
There’s a reason security experts and engineers, although themselves sometimes slow to install updates, generally do so more quickly than regular users—they understand the potential vulnerabilities those updates might fix. That puts the onus on software companies to do a better job of explaining to users why updates are critically important, and which updates are essential.
Elissa Redmiles, a National Science Foundation Research Fellow whose work focuses on understanding how users make security decisions, recommends that software companies must also do a better job making updates more seamless and less disruptive:
“Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically—downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.”
Every interaction your business has with customers--from email to website traffic to a transaction to a phone call—matters. That includes protecting their sensitive data, housed on your computers. If your customers' data is compromised, they won't blame the software company--they'll blame you, and nothing will destroy the trust you’ve worked so hard to build more quickly or irrevocably than a security breach. That means you need to install every software update, and do so as soon as possible after it’s made available.