My feeds have spent the last fortnight chewing over the latest worm that ripped through European networks in late June, the one that looked like ransomware and behaved like sabotage. I'm not going to pretend to know more about its precise lineage than the people still pulling it apart, and there's been enough confident wrongness written already without me adding to it. What struck me, sat reading the post-mortems, wasn't the malware. It was how familiar the shape of it felt. Spread through a hole that had a patch available months earlier. Found the unpatched machines because there are always unpatched machines. Used a network to do what networks do, which is connect the careful to the careless.
We have, what, six weeks since the last one of these that everyone agreed was a wake-up call? And the call goes unanswered for the same reason every time, which has nothing to do with the cleverness of the attack and everything to do with the unglamorous reality of running estates of computers.
Patching is the thing that's always important and never urgent, right up until it's catastrophic, and human beings are terrible at the always-important-never-urgent category. I've watched it everywhere I've worked. The patch exists. Someone even tested it. And then it sits, because applying it means a maintenance window, and the window means downtime, and the downtime needs sign-off, and the system it'd touch is the one nobody wants to breathe on because it's load-bearing and undocumented and the person who built it left in 2014. So it waits. It always waits. The patch register grows a column of red, and everyone agrees we really must get to that, and the urgent work of the day wins again, because the urgent work always wins against the merely important.
What these outbreaks expose isn't a security failing in the heroic sense. It's an operations failing in the boring sense. The organisations that came through these things lightly weren't the ones with the cleverest defences, they were the ones that could actually answer the question "which of our machines is unpatched and where are they" without a three-day audit. That capability is dull. It's inventory, it's automation, it's the discipline of a maintenance schedule that gets honoured even when there's a fire elsewhere. None of it makes a good headline, which is exactly why it gets starved of attention until a worm writes the headline for you.
I'll spare you the tidy moral, because I don't think there is one beyond what we already know and keep not doing. The patch was available. The window was unbookable. And a worm doesn't care which of those is your fault. If this latest one buys anyone reading a slightly easier conversation with their management about a maintenance window, it'll have done more good than the malware did harm. I'm not holding my breath, mind. We'll be here again by autumn, reading near-identical post-mortems, nodding along, and not booking the window.