By Rick Ball, VPC Cyber/Continuity of Operations Branch Director
“What is so important about software updates and patch management”, you ask? There has been a lot of talk/discussions on these two topics recently on LinkedIn, as well as some other reputable blogs and social media.
There will always be pros and cons to this question, but the key is about risk management. When a new software update or patch from the likes of Cisco, Microsoft, Adobe, Google, and Mozilla is announced by an organization like CISA, you have a certain amount of assurance that it is needed to protect you from Cyber criminals and threats.
I can tell you that most software companies like the one’s mentioned above, have test teams that do a thorough job of “Alpha” testing the software before it is released. Most of these companies also have “Beta” test sites with a select group of clients that will test the software in a controlled operational environment, again before coming out with a “General Release”.
Many medium-to-large companies will have their IT department setup an internal testing environment where they will install and run a new software update or patch before allowing into the daily operational environment. And while that is admirable, and provides less risk, it can also be costly and timely. And for some small-to-medium companies, this is simply not feasible. And this is where risk management comes into play.
Most SMB’s executives and owners are willing to accept the risk of installing a software update or patch when it is released. The old 80/20 rule is often applied and the assumption is that the software firms have done a good job of “Alpha” and “Beta” testing and they will be minimally impacted.
So what to do if you are a business owner or executive? For the most part, I highly recommend you install the software updates and patches when they are announced, especially if it comes from CISA. Every day you have software installed (operating systems, browsers, any daily soperating software such as financial, accounting or supply chain software) that could be exploited by Cyber criminals/hackers, then you should make certain your IT and Cyber teams (be they insourced or outsourced) are staying on top of this to minimize threats.
All too often in the past, I have heard executives and owners state; “The system/server is too important to take down to patch”. This “If it isn’t broke, don’t fix it” mentality ultimately catches up with you as many have seen. However, due to the many Cyber attacks and exploits against systems that have not been updated or patched, the costs have caused many to reconsider their risk management strategy. Bottom line, unless you work for a medium-to-large company with a dedicated test environment, do yourself a favor and stay on top of those software updates and patches and get them installed ASAP!