“WannaCry should have been a wake-up call – it clearly wasn't,” Graham Mann, managing director of the Encode UK, told SC. “Microsoft released a patch some time ago for the EternalBlue vulnerability but many of the organisations will not have deployed it yet for various reasons: they may be still testing the patch, they may be using ‘antiquated' versions of Microsoft operating system or simply have a policy of not applying patches to certain systems to avoid destabilisation.”
The concern of destabilisation is an important one. The NHS is one of the largest employers in the world, with a workforce that rivals the Chinese People's Liberation Army. When 48 NHS trusts were ensnared by WannaCry ransomware in May, plenty of people asked why one of the UK's most important pieces of infrastructure was so vulnerable. Then again, when is the right time to halt the massive 24-7 frontline service IT infrastructure for a spot of patching?