Organizations spend a lot of time, money, and effort trying to protect their employees from cyber threats. They implement cutting-edge endpoint protection, polish up their policies to encourage best practices, and provide ample training opportunities to raise awareness of information security risks.
But all their work can go to waste with a single click on the “Install Later” button when an employee is presented with the option to install a new software update. Understanding why software updates are important to cybersecurity and knowing how to ensure that they’re consistently installed in a timely manner is essential for keeping cyber threats at bay.
Skipping Software Updates Can Have Disastrous Consequences
What do software updates have in common with tooth brushing? Answer: the potentially very unpleasant consequences skipping them can have.
Just how unpleasant the consequences can be is perhaps best illustrated by the Equifax data breach, which happened in May 2017 and affected around 150 million Americans, 15 million British citizens, and about 19,000 Canadian citizens.
This breach would never happen if the multinational consumer credit reporting agency had installed a security update to address a known vulnerability (CVE-2017-5638) in Apache Struts 2, an open-source web application framework behind Equifax’s consumer complaint web portal. By exploiting the vulnerability, the attackers were able to remotely inject operating system commands and move from the web portal to other servers.
Incidents such as the Equifax data breach are, unfortunately, not rare at all. In fact, more than 200,000 computers across 150 countries were affected by the WannaCry ransomware attack at the time of the Equifax data breach because they had yet to install a critical security patch released by Microsoft to address the EternalBlue cyberattack exploit. Among them was the computer network of the UK’s National Health Service (NHS), as well as countless small businesses, whose size didn’t make them newsworthy enough.
But just because attacks on small businesses rarely ever make the news doesn’t mean that cybercriminals don’t see them as attractive targets. They do, which is one reason why skipping software updates can have the same disastrous consequences for them as for large enterprises.
Cybersecurity ratings company BitSight estimates that failing to patch makes organizations at least 2x more likely to suffer a data breach, and data breach costs are now the highest they’ve ever been, according to data published by IBM. Clearly, the time has come for all organizations to give software updates the attention they deserve and implement the below-described best practices.
Best Practices for Software Updates
The good news is that there are many steps organizations can take to improve their patching process and greatly reduce the risk of a data breach. But before we list the best practices for software updates that all organizations should follow, we need to clarify one thing: not all software updates are created equal.
The specific type of software updates this article is all about are security updates, which address security vulnerabilities and are rated by their severity.
While all software updates are important because they improve the user experience by adding new features and fixing all kinds of issues, security updates are essential because they prevent hackers and malware from exploiting vulnerable software.
Ideally, security updates should be installed on all vulnerable devices as soon as they become available, and the following best practices can help achieve this goal:
By implementing these best practices for software updates, it’s possible to greatly reduce the risk of a data breach caused by an unpatched vulnerability successfully exploited by an opportunistic cybercriminal.
If you would like help with their implementation, then don’t hesitate to contact us. We’ll work with you to align your patching process to secure your business.