The UK’s NHS knew that they had outdated hardware. They were warned. But they ignored the warning because those damn IT folks are always asking for something. Cyber threats could cost lives unless NHS improves security
Yesterday ministers pledged to spend an extra £21m on NHS cyber security, and to adopt a series of security measures which were recommended a year ago – before the worst attack in the history of the health service.
So they knew for at least a year that they were vulnerable and did nothing. And I would wager that they were warned about the phase out of XP support when Microsoft announced the schedule for discontinuing updates. But executives always view these kinds of warnings from IT as a smoke screen. Those damn IT folks just want new technology to play with. They can’t possibly understand what it means to the business to spend money on upgraded computers.
Even after WannaCry shut down the NHS for a couple of days, and was on every major newscast and in every paper, I bet there are still organizations who haven’t upgraded all of their XP boxes. I mean be fair, Microsoft fixed THAT problem, so the risk is gone, right? Not so much.
The moral of the story is – you can lead a horse to water, but executives are never going to spend money to mitigate risks that they don’t understand. And the one constant in the universe is that executives are mostly too arrogant to admit that there are risks they don’t understand. So the only thing the lowly schlubs in IT can do, is to document their recommendations and how they were turned down – otherwise it will be their fault for not keeping management apprised of risks. Either that or get out of IT all together.