The massive data breach at Equifax dramatically demonstrates the importance of promptly applying software patches.
Equifax, a major credit-reporting agency, announced in September that personal information about more than 145 million U.S. customers had been exposed in a data breach that began in mid-May. Hackers reportedly attacked a web-application vulnerability for which a patch had been available for more than two months.
Equifax’s lax approach to protecting sensitive information in its care has been harshly criticized by national cybersecurity experts, and understandably so.
For many computer users, applying an update is just a matter of tapping the “install now” button when a valid alert pops up. Alerts can be annoying. But the growing threat of cybercrime has increased the importance of keeping computers updated.
Keeping business systems updated is more complicated. Keeping complex networks updated and secure is a duty that requires knowledge and constant vigilance.
Businesses have some leeway in applying updates that add or improve processes, according to experts at SDN Communications in Sioux Falls. But companies must apply security-related patches promptly.
“We wouldn’t necessarily update you if it wasn’t a feature that you could use,” said Bill Tetrault, supervisor of managed services at SDN. “But if it was a security fix, we’d move to get that customer upgraded.”
Usually, the sooner a security vulnerability can be fixed, the better. Some hackers take update release dates into account when planning attacks. Hacker methods and viruses change constantly. So new patches have to be developed constantly, too.
Some consumers and tech staffers at small businesses might not want to immediately take the time to download a software patch or might not even beware of it. In some cases, old equipment might not be able to support new software. Regardless of the reason, delaying implementation can create new risks.
Tetrault and Mike Klein, a managed services data technician at SDN, said that updates not related to security issues sometimes cause other problems. So it’s good to test them in an isolated environment before broadly applying the software. Companies’ IT staffers should review information about updates provided by manufacturers before installing the software.
SDN uses Fortinet firewalls and Cisco routers in providing managed services for business customers. Arbor Networks is the vendor for Managed DDoS Protection, which helps businesses stop denial-of-service attacks. Those are three of the biggest and most respected companies in communications technology and security. So, SDN has access to good information as well as high-level hardware and software.
When necessary, SDN staffers consult with customers to decide whether and when to install an upgrade.
Under a managed service agreement, SDN provides the equipment needed – such as a firewall to filter electronic traffic – and maintains it at a high level. In exchange, the customer pays a scheduled subscription fee.
At small businesses, updates typically can be set to run automatically. Updates can disrupt workflow somewhat but the alternative is usually worse. It’s especially important that companies keep network interfaces that are exposed directly to the internet updated and secure.
At SDN, the network administrator runs important updates on workstation computers every weekend, said Chad Pew, IT manager.
“We force those things to be done on a weekly basis. It takes the decision out of the employees’ hands,” he said.
Patches that address security issues should just about always be applied sooner rather than later. However, as Tetrault and Klein point out, updates designed to add features or improve performance might not be immediately necessary and sometimes can introduce new issues.
“You become a beta tester at that point. You want to go with the latest version that is staple,” Tetrault said.
SDN’s latest trio of cybersecurity posters includes one on updating devices. Use the button below to request a free download of all three infographics.