Do you remember the last time you saw that little window pop up in the corner of your computer screen? You know, the one that alerts you to update your computer?
Did you do it right away? Or did you click the ‘X’ and vow to run the updates next time? And how many more times did you ignore the alert before finally running the updates?
The computer programs we use every day are complex and constantly evolving. Consider this: Microsoft’s operating system, Windows 10, is running on 900 million computers globally. That means there are 900 million different instances of the operating system being used and tested in subtly different ways. So it’s no wonder that once a program like Windows 10 is released into the world, it occasionally needs to be updated and tweaked.
[You Might Also Like: "Windows 7 End of Life: What You Need to Know"]
Security Gaps: There’s a Patch for That
These software tweaks are called “patches.” Just like stitching a patch onto the toe of your socks to cover a hole, a software patch is a small fix applied to a program that is already installed on your machine. These patches correct functionality errors, close security gaps, and boost performance through new features and adjustments.
Despite all these merits, software patches have a bad reputation for causing problems and taking a long time to apply—causing many users to delay or avoid patching their computer altogether. And it’s true: sometimes patches do have unintended consequences, and sometimes they do take a long time to install, but that doesn’t mean we can neglect them without risking negative consequences.
Known Vulnerabilities: An Easy Target for Cyber Attacks
When security patches are released, they include release notes that explain what in the software was patched and why—often exposing the very vulnerability that the patch is correcting.
As a result, these release notes inadvertently serve as a how-to manual for cyber criminals, as it’s much easier for hackers to capitalize on known vulnerabilities than to find new ones. And when you delay updating your computer, those known vulnerabilities make you an easy target.
WannaCry is an example of a widespread attack on a vulnerability that had already been patched. In May of 2017, WannaCry made global news as the ransomware attack took out more than 200,000 computers in over 150 different countries. The patch that corrected the vulnerability exploited by the virus had been released in March—two full months before the attack occurred. Patched systems were protected from the attack, but machines that had not been patched were left vulnerable.
While the WannaCry virus stands out because of the scale and scope, it wasn’t an isolated incident. Simply applying patches and using supported programs reduces your likelihood of falling victim to a cyber attack.
What types of systems need patches?
Trick question! All systems need patches. From the operating system on your computer to the firmware in your wireless access point, every system needs to be updated from time to time to keep it secure and functional. Therefore, using supported and maintained software is critically important to security.
Even if you are a home computer user and don’t have an entire network to protect, you should still take steps to protect yourself.
- Use a supported operating system. (If you're still using Windows 7, it's time to upgrade!)
- Keep your applications current. Using subscription services Microsoft Office, Adobe, and other programs automates the process of maintaining current, patched software because those subscriptions include automatic update patches.
- Apply updates as soon as they are available. It’s okay if you need to wait until lunch or after your workday so doesn’t interrupt your productivity, but applying updates as soon as possible after you receive the alert is a good habit to develop.
- Restart your computer at least once a week. Often, computers need to be restarted for the patch to fully install.
- Maintain a good backup. If a patch does cause a problem, protecting yourself with a solid backup will minimize your headache.
- Don’t neglect your mobile devices; run the system updates on your mobile phones and tablets. (We'll share tips for mobile device security in next week's blog, so stay tuned!)
Protect Your Business
There is no magic bullet for eliminating cyber security risk, but any healthy layered security approach must prioritize patch management and updates.
- Use only supported and maintained applications.
- Know what’s deployed in your environment; keep a running list of your hardware and software assets.
- Standardize your deployed software. It is much easier to test, track, and deploy patches if everyone is using the same programs.
- Maintain support contracts for your critical business applications. In the event that a patch causes problems, having support to troubleshoot and respond to issues is critical.
- Test patches before deploying them across the whole environment to minimize the negative impact if a patch has an unintended side effect.
- Automate your life by using Remote Monitoring and Maintenance (RMM) tools, which allow you to push patches automatically and track and report on what systems are out of date.
- Don’t neglect your network equipment. Firewalls, switches, and wireless access points are often forgotten because they are out of sight and out of mind. However, these pieces of hardware play an important role in network security and also require patching. Using business-grade devices that automatically receive security patches can eliminate a major security threat…and give you peace of mind.
- Run external vulnerability scans. These scans test your network against known vulnerabilities. Use the results to shore up your systems.
The bottom line: whether you’re an individual user or the CEO of a company, remember the importance of patching, and the next time the update window pops up in the corner of your screen, click “apply now.” By taking the time to allow the system to apply the patch, you may be plugging a hole that a hacker could use to infect your system.
At Prosource, we believe your organization’s security is only as strong as its weakest link, so for National Cyber Security Awareness Month, we're taking a more personal approach to awareness. Every week throughout October, we'll send an email with cyber security tips and insights to help you stay protected against cyber threats. Not yet a subscriber? Sign up here.