The single greatest deterrent to best security practices is user behavior.

The second greatest deterrent? Management behavior.

There is a little discussed, but very common phrase deep in the bowels of IT consulting organizations, and some large end customers. To paraphrase an indelicate line: “You can’t fix stupid or lazy.”

Harsh? Maybe so.

Yet too often, we see security incidents that were completely preventable if an organization had properly followed highly publicized procedures, and staff had followed proper protocol.

I don’t know what the statistics are on this, but I would wager that over half of all security incidents, major and minor, were inexpensively preventable.

It is impossible to perfectly secure an organization. We should all know that by now. But ignoring vendor notices, published patches, and best practices is a surefire way of inviting evildoers into your data center.

Case in point, the recent spate of ransomware attacks, highlit by the Windows Server 2003 security hole exploit last week.

Windows Server 2003 is still being used, even though it lost Microsoft’s product update support over a year ago. Sadly, this isn’t surprising to us. Many companies continue to run out of date, and unsupported products today.

In part, this is due to the perceived cost of upgrading, the perceived down time of applying patches, or just overworked and understaffed IT departments.

By some accounts, Windows Server 2003 still commands 18 percent market share, with another report claiming some 50% of organizations had at least one instance of it running.

One can only guess what motivates a company to ignore critical patches, and delay upgrading.  In our experience, cost and lack of resources are the most commonly cited reasons. While disruptions to ongoing production is another often quoted excuse.

Yet no one doubts the cost of major unplanned down time in the event of an outage, or security incident.  Not to mention the loss of goodwill, dollar damages, and more.

In no uncertain terms, we must encourage increased diligence with server patching, and a renewed focus on user training, especially around phishing scam awareness.

For more information on these, and related topics, reach out to me at chuck@txmq.com.

Chuck Fried is the President and CEO of TxMQ, Inc. An IT consulting firm helping mid market and enterprise customers better secure and manage their enterprises. Follow him on twitter: @chuckfried