WannaCry about cybersecurity? Consider this first

In an event that has been called the WannaCry ransomware attack, hackers encrypted data on computers all around the world. The victims – which included hospitals and car factories – had to pay ransom in Bitcoin to get their files back.

Computers without up to date operating systems were particularly vulnerable to the attack.

People who have never come into contact with the internal IT operations of a large company find this hard to understand. Why don’t companies just install the latest patches, like private persons do on their home computers?

Software engineer Jürgen ‘tante’ Geuter has a nice blog post that explains why things are not so simple in the real world: “Why don’t they just update?”

Geuter starts with an observation. Businesses rely on computing systems that are a tailor-made hodgepodge of software:

Software systems in the real world, especially when it comes to software systems in large organizations are extremely complex and very rarely created synchronously or by one entity. What this means is that a new storage management system will have to interact with the weird, 10-year-old custom mini-ERP system that the organization uses, it’s somewhat strange Active Directory user management, it’s proprietary and 20-year-old PLC systems and most probably Excel. Lots of Excel. Excel is god.

[Bank related interruption here: the cited snippet will sound very familiar to bankers working in the back office or middle office. The emphasis on Excel will definitely resonate with a lot of office workers.

Outsiders would be surprised if they saw how much work is done in Excel. Data is processed with pivot tables. Analysts build models in spreadsheets. Manage a project? Excel. Plan holidays? Excel. Manual corrections? Excel. Testing? Excel. Evaluations? Excel.1]

But let’s get back to the story of complex IT systems:

All these parts have a history, have their own requirements, their own vendors, and potentially certifications. It’s a huge mess to sort these things out (…).

The point is: (a) it is hard to get a system up and running and (b) nobody knows all the interdependencies between the components.

What’s the best heuristic to deal with an unpredictable fragile system?

Answer: If it ain’t broke, don’t fix it.

Inexperienced techies often think they’re much smarter than the managers who are responsible for the business side. “Just tweak a few steps and it’s all going to work better.”

However, in the case of a complex system, the manager with the ‘if it ain’t broke, don’t fix it’ mentality will be right most of the time. A seemingly more stable, elegant or efficient ‘solution’ might actually fuck up a crucial business process.

That is the reason why companies don’t update operating systems on crucial computer infrastructure. As long as the old system is working, why take the risk of downtime?

Geuter shows that testing even one simple update would quickly cost thousands of euros. On a system that was working fine.

Read his whole post if you’re into this sort of stuff.

Just don’t assume that you found the silver bullet by saying “install the updates, dummies”.

Do you want to know more about banks, central banks or monetary policy? Follow me on Twitter!

  1. The use of Excel in banks deserves a separate post, given its popularity and the fact that spreadsheets are often riddled with errors.

Leave a Reply

Your email address will not be published. Required fields are marked *