EternalBlue, a computer worm believed to be developed by the NSA to take advantage of a vulnerability within Microsoft Windows, was made public approximately five months ago. While patches for this vulnerability were made readily available soon afterward, millions of companies were hit by WannaCry in May 2017 while still others were hit by NotPetya a few weeks later. Surely negligence can’t be the only explanation as to why firms are failing to patch against these highly public and very dangerous vulnerabilities, yet businesses continue to fall victim to cyber attacks. What is the missing link, and how can underwriters assess the risk of patching for companywide IT systems?
Why Don’t Good Companies Patch?