The spread and reach of Wcry has provided yet another opportunity for the software developers crowd to laugh at the poor security practices at companies. If only dumbass users would stop opening Word attachments they receive in emails. If only the IT people would keep systems updated and properly manage the company’s intranet.
The fact is that pointing fingers is dam easy, but actually understanding how your users behave in the wild is quite different.
I have worked in a company that was hit with ransomware at least twice in the space of a few months. My colleagues suspect that there were more incidents, but the persons affected were too ashamed to ask for our help. Think what you may of users, the fact is not everybody knows they have a virus or that ransonware is slowly encrypting their system. My wife, for example, had a virus in her Macbook (yes Mac, the one conventional wisdom says it is so good that it has no virus, malware and such) for months and only complained to me when her computer became unusable.
Another thing that most people don’t realize is that updating an operating system can break your maintenance contract or even cause a malfunction. Hospitals, for instance, usually have expensive equipment that runs software on top of Windows or Linux. The act of patching a security flaw first needs approval from the vendor, which in turn might need to re-apply for a (costly) certification of their product. So while you simply need to enable automatic updates in Windows, any serious company needs to go through lots of red tap and non-negligible costs and down time when they patch their systems.
Finally, developers should look hard at a mirror when pointing fingers. I have seen countless times people adding nice, cool features, without pausing to think about the security implications let alone discussing them with the business side of the company. It is true that the vast majority of developers don’t have the skills or training to factor in security concerns when they are coding. But just like users should stop blindly open Word attachments, developers should stop believing that security is not their problem.