Organizations spend a lot of time, money, and effort trying to protect their employees from cyber threats. They implement cutting-edge endpoint protection, polish up their policies to encourage best practices, and provide ample training opportunities to raise awareness of information security risks.
But all their work can go to waste with a single click on the “Install Later” button when an employee is presented with the option to install a new software update. Understanding the critically important role software updates play in cybersecurity and knowing how to ensure that they’re consistently installed in a timely manner is essential for keeping cyber threats at bay.
Skipping Software Updates Can Have Disastrous Consequences
What do software updates have in common with tooth brushing? Answer: the potentially very unpleasant consequences skipping them can have.
Just how unpleasant the consequences can be is perhaps best illustrated by the Equifax data breach, which happened in May 2017 and affected around 150 million Americans, 15 million British citizens, and about 19,000 Canadian citizens.
This breach would never happen if the multinational consumer credit reporting agency had installed a security update to address a known vulnerability (CVE-2017-5638) in Apache Struts 2, an open-source web application framework behind Equifax’s consumer complaint web portal. By exploiting the vulnerability, the attackers were able to remotely inject operating system commands and move from the web portal to other servers.
Incidents such as the Equifax data breach are, unfortunately, not rare at all. In fact, more than 200,000 computers across 150 countries were affected by the WannaCry ransomware attack at the time of the Equifax data breach because they had yet to install a critical security patch released by Microsoft to address the EternalBlue cyberattack exploit. Among them was the computer network of the UK’s National Health Service (NHS), as well as countless small businesses, whose size didn’t make them newsworthy enough.
But just because attacks on small businesses rarely ever make the news doesn’t mean that cybercriminals don’t see them as attractive targets. They do, which is one reason why skipping software updates can have the same disastrous consequences for them as for large enterprises.
Cybersecurity ratings company BitSight estimates that failing to patch makes organizations at least 2x more likely to suffer a data breach, and data breach costs are now the highest they’ve ever been, according to data published by IBM. Clearly, the time has come for all organizations to give software updates the attention they deserve and implement the below-described best practices.
Best Practices for Software Updates
The good news is that there are many steps organizations can take to improve their patching process and greatly reduce the risk of a data breach. But before we list the best practices for software updates that all organizations should follow, we need to clarify one thing: not all software updates are created equal.
The specific type of software updates this article is all about are security updates, which address security vulnerabilities and are rated by their severity.
While all software updates are important because they improve the user experience by adding new features and fixing all kinds of issues, security updates are essential because they prevent hackers and malware from exploiting vulnerable software.
Ideally, security updates should be installed on all vulnerable devices as soon as they become available, and the following best practices can help achieve this goal:
- Enable automatic software updates: As we’ve mentioned in the introduction to this article, the human factor is often the biggest reason why updates are not installed as soon as they become available. By enabling automatic software updates (to be installed during off-hours), you can solve the problem of users postponing the installation of updates indefinitely. Investing in a comprehensive patching tool that supports all operating systems and third-party software applications can be a great choice in this regard.
- Inventory all software and hardware: Now that the pandemic has disrupted established work routines and caused many organizations to switch to hybrid working, it’s more important than ever to create a comprehensive inventory of all software and hardware used by employees to access sensitive data and restricted systems. Without it, it’s impossible to know what needs to be updated and what doesn’t.
- Avoid unsupported products: Software developers and hardware manufacturers don’t support their products indefinitely. If you rely on old software and hardware, it’s possible that it contains known security vulnerabilities that can be exploited without much effort. Since patching is not possible, the next best solution is to replace the unsupported products with supported alternatives.
- Create a patch management policy: When employees are given a choice between installing a software patch and postponing it, they almost always choose the latter option just to avoid having to save their work and restart their device. The goal of a patch management policy is to make patching mandatory and specify how soon updates must be installed based on their importance.
- Stay up to date with security updates: Security researchers and vendors regularly disclose discovered vulnerabilities, and describe available fixes, in bulletins, and it’s a good idea to subscribe to them so that you can act before cybercriminals do.
- Keep things simple: You can greatly reduce the number of patches you have to install by simplifying your hardware and software inventory. Instead of allowing employees to use multiple software applications running on computers from multiple different manufacturers to complete the same tasks, pick a single software application and a single manufacturer.
By implementing these best practices for software updates, it’s possible to greatly reduce the risk of a data breach caused by an unpatched vulnerability successfully exploited by an opportunistic cybercriminal.
If you would like help with their implementation, then don’t hesitate to contact us at Aligned Technology Solutions. We’ll work with you to align your patching process to secure your business.