Software Updates: The Easiest Way to Reduce Cyber Risk
Software updates are like brushing your teeth: Everyone knows they should do it, but it's a momentary inconvenience. If you get in the habit of skipping it, you risk a painful and expensive cavity — or even worse outcomes over time. It's best to stick to a twice daily tooth brushing routine to avoid costly and painful dental problems.
Just as brushing your teeth is good oral hygiene, software updates are good cybersecurity hygiene. Patches should be applied on a regular basis to fix any known vulnerabilities that could leave your business exposed to malicious hackers. While brushing your teeth may cost you a cavity, a data breach is enough to put many small companies out of business.
Let's take a look at why software updates matter in cybersecurity and how to keep your small business up to date.
Why Updates Matter
Imagine that you're a hacker trying to gain access to sensitive data, such as credit cards or insurance records. You could try a brute force approach by guessing passwords or coerce a user to divulge their password, but a much easier approach is to scan network equipment for known vulnerabilities that they haven't patched, which gives you instant access.
Security researchers have found that the vast majority of successful exploits involve known vulnerabilities. Ponemon reckons that about 57% of data breaches were due to unpatched vulnerabilities. Even worse, more than a third (34%) of affected organizations knew that they had unpatched vulnerabilities in their network, but took no action to protect themselves.
For example, the WannaCry ransomware attack exploited a vulnerability that was patched months prior. Companies had plenty of time to patch the vulnerability, but they did not take the necessary actions to protect themselves. Even now, remote code execution in Windows common controls, which was patched back in 2012, continues to compromise networks.
Software updates matter because they are one of the easiest ways to mitigate cybersecurity risk without expensive consultants or complex security solutions. The only requirement is testing the update to ensure it doesn't break anything and then running the update process. These simple efforts have a higher return on investment than other cybersecurity solutions.
How Vulnerabilities Work
The good news is that most software vulnerabilities are discovered by security researchers rather than malicious hackers. These researchers may find vulnerabilities via internal security audits or by deliberately prodding a network to earn money from so-called bug bounties that offer a reward for finding any previously unknown vulnerabilities.
Download our free Penetration Testing Checklist to see what's involved in an audit of your network.
For instance, Google Project Zero's team of security analysts seek out zero-day vulnerabilities, report them to the manufacturer and give them 90 days to issue a patch before making the vulnerability public — a concept that's known as responsible disclosure. Google has a vested interest in ensuring that technological infrastructure is robust and free from vulnerabilities.
Many companies also offer bug bounties for security researchers that find vulnerabilities in software. For instance, Facebook, Google, Microsoft, Yahoo, Square and many other large tech companies offer financial incentives for security researchers that report vulnerabilities in their platforms in order to make them more secure.
Software companies patch these vulnerabilities and issue fixes as critical security updates. You may automatically apply these patches or choose to manually test them to ensure they don't break anything before installing them. After all, a new network driver may not install correctly on a legacy Windows NT workstation with an out-of-date operating system.
Building a Process
There are many ways to ensure that your software is kept up to date in order to avoid costly cybersecurity incidents.
Don't forget to download our free Penetration Testing Checklist to see what's involved in an audit of your network.
Many businesses have transitioned from on-premise to cloud-based solutions. For example, if you own networking hardware, you may want to consider transitioning to a cloud-based platform where firmware is always kept up to date. Jungle Disk's cloud-based Active Network Protection is an example of a platform that's always up to date and secure against attack.
You should also develop a robust plan to ensure that all other software is properly updated over time, including:
- Conduct audits - Audit your small business' software to identify where known vulnerabilities exist and come up with a plan to address them immediately. Penetration testing firms use tools like Metasploit to scan for these vulnerabilities and fix them before criminals find them and exploit them.
- Catalog inventory - Inventory all networking equipment and devices that require firmware or software updates. That way, you can easily understand what needs to be updated and avoid missing any critical pieces of hardware in the process. It's equally important to keep this list of devices up-to-date over time.
- Automate updates - Automate as many critical security update processes as possible. If it's not possible to automate the actual updates, you should at least automate the reminders to check for updates on a regular basis. These efforts can go a long way toward reducing the number of outstanding vulnerabilities.
- Test patches - Always test any non-critical patches to ensure that they don't break any other components of the network or specific devices before implementing them. This is especially true if you're running outdated operating systems or have interdependent software components on your network.
- Evaluate options - Always evaluate different options to help make your business more secure. For instance, you may want to look at cloud-based versus on-premise solutions. It’s equally important to install complementary cybersecurity solutions to mitigate risk — even if there’s a known vulnerability.
You should collaborate with team members when developing these plans to ensure everyone is on the same page before moving forward. For instance, a chief information security officer (CISO) may work closely with the chief technology officer (CTO) and IT engineers to understand the different networking hardware and devices involved before developing a plan to keep patches up to date since they may all have different roles to play.
The Bottom Line
Many malicious hackers scan for known vulnerabilities that haven't been fixed as an entry point into a network. If you don't regularly apply patches, your network could be at risk of attack. The challenge is keeping up with these patches without breaking any existing functionality — a challenge that you can meet with the approaches discussed above.