Why we don't patch, with Jess Dodson: Lock and Code S03E02

Why we don’t patch, with Jess Dodson: Lock and Code S03E02

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior.

This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn’t happen.

Why is that?

In today’s episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.

According to Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

“I was having a chat to a fellow security professional who was doing some work for an organization where they were boasting about servers being up for 1,000 days. That’s not something to be proud of. I don’t get the whole idea of being proud of your uptime. That just means you haven’t done any updates on that thing for three years.”

Jess Dodson

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.