Security Breaches and the Importance of Patching

Security Breaches and the Importance of Patching

Last week I spoke to two different groups of business leaders, giving a presentation on CyberSecurity. Even though Halloween was still a couple weeks away, I think I successfully scared the heck out of them. On both days, though, the executives in attendance were asking some great questions; it's obviously a topic that is a concern for many people, especially those running businesses.

We talked about a lot of aspects of security, including many types of threats to be aware of, and a whole bunch of best practices to protect yourself and your company. Today, I want to highlight one that seems to be a common thread, because it comes up again and again.

One of the best things you can do to keep your company's information safe is to use modern hardware and software that's designed for business, and diligently apply patches when the vendor releases them.

Let's unpack that recommendation.

Use Modern Hardware and Software

Using modern hardware and software is important. People sometimes think it's about money, but it's really not. It's not just about making things faster, or adding features, or replacing hardware before it falls apart, either. The reality in the Information Technology industry, is that competition is forcing continuous improvement in the capabilities of the hardware and software we use. Makers of these products have to keep improving them, or they'll be left behind. That fact, and simple economics, mean that companies have to draw a line as to how far back they'll keep supporting their old products. "We fixed that bug 3 years ago, but you're using 6-year-old software." It doesn't pay to support the older stuff, and it makes more sense for them and for you, to upgrade to the latest.

Install Security Patches Diligently

That's important for security because all systems have bugs. Some of those bugs become exploits, avenues of entry for attackers to gain access to your system. It's the vendors' job to patch those bugs. And it our job, as owners or managers of those systems, to install those patches. That sounds simple, but it continues to astound me how often this advice is ignored, with disastrous consequences.

  • It was a known flaw, with a patch issued by the vendor but never installed by Equifax, that allowed thieves to steal identity information for 145.5 million people, who now have to worry about a real threat of identity theft for the rest of their lives.
  • A known flaw with an available (but not installed) patch caused the British National Health Service to turn away patients and postpone surgeries because their computer systems had been taken over by ransomware.
  • Had they followed this basic patching advice, that same ransomware wouldn't have hit other large companies, including FedEx, Nissan, Renault, Telefonica in Spain, Russian government agencies, Indian police, Chinese universities, etc. (As an aside, most of the 100,000 or so affected computers in those Chinese universities probably didn't have the option to patch, because most computers in China are running stolen (pirated) software…another great reason to make sure all your software is validly licensed.)

Use Systems Designed for Business

That brings us to the next part of the recommendation: use systems designed for business. Don't run your business on consumer grade and "home" versions of products.

By and large, vendors are pretty good when it comes to fixing the security-related bugs that they become aware of. But the business-focused vendors are more on top of these things than the consumer-focused ones. They have to be. They know their customers are protecting valuable information, and rely on these products to meet industry compliance requirements, like HIPAA and PCI-DSS, for example. Sure, they cost more, but there are good reasons to pay more, and security is one of them.

Take, for instance, the WiFi issue (WPA2 security flaw) that's making headlines as I'm writing this. Virtually every WiFi-enabled device, wireless router, and wireless access point is going to need an update to protect against this flaw. If you're using a business-class wireless AP, such as the Cisco Meraki line that we recommend our customers use, you're in luck. They fixed the problem in a patch that came out before the flaw was made known. Similarly, Microsoft had issued their patch to fix this issue a week before the flaw was disclosed.

Crystal Ball - More Security Problems Coming

There will be more headline-grabbing security issues in the news in the future. It's inevitable, because human-designed systems are bound to have flaws. And there's no guarantee that you'll be safe. But if you use modern systems, designed for business, and keep up with the latest security patches for those systems, your odds of being affected go way down. May the odds be ever in your favor.

(Patching is one of the many things we do for our Managed IT clients to take care of their networks and protect their business information. If you need some help on that front, I'd love to have a conversation with you to see if we can help.)