Data breaches have become frequent and costly events for today's organizations. You might have heard about recent incidents at Equifax, Uber and other major firms, affecting/impacting millions of consumers who had their personal information exposed. In the case of Equifax, 143 million individuals were affected; with Uber, key details were covered up long after the fact.
The Ponemon Institute has also estimated that the average data breach costs the organization in question more than $3 million. There is undoubtedly plenty of work left in reducing the fallout from such breaches, on every front from staffing to IT solutions planning. In this 3-part series, we'll look at the current weakness organizations can address to better protect everyone, starting with lack of timely technical upgrades.
What are the dangers of outdated software and hardware?
Remember Microsoft Windows XP? A few years ago, there was widespread anxiety upon its exit from mainstream support. At the time, many organizations – including healthcare providers and banks – were still reliant on the 13 year-old operating system, right up to the moment it stopped receiving crucial security patches.
Beyond XP, legacy assets are everywhere, serving as magnets for cyberattacks. For example, the spate of high-profile ransomware in 2017, including the WannaCry, NotPetya and Bad Rabbit variants, was mostly fueled by exploitation of a very old version of the Server Message Block protocol still installed on PCs around the world.
Without upgrades and the customized IT consulting to sustain them, organizations face elevated risks from modern threats, which are often designed to overwhelm the relatively limited security capabilities of older software and hardware. Consider the vulnerabilities of using a smartphone from 2011 today: Chances are, it would no longer be eligible for any OS updates or patches, meaning that any new exploit targeting its platform could never be closed.
While mobile devices and PCs receive most of the attention when discussing newsworthy threats, the problem is most discernible in lower-profile infrastructure such as network routers and switches that have minimal recourse against attacks. The recent KRACK issue in Wi-Fi security is a textbook example.
It broke the security mechanism underpinning secure Wi-Fi but was quickly patched on OSes such as Windows and Apple iOS. Elsewhere, though, it's expected to remain open for years and perhaps even decades, according to Wired. Fixing it on routers, network home appliances and other similar gadgets will require precise coordination between their respective manufacturers, chipset makers and software vendors. Updates may trickle out slowly, if at all.
What steps can be taken to ensure your IT assets are up to date?
The good news is that KRACK is an outlier and most vulnerabilities have patches available the same day they are identified. According to Flexera, 81 percent of them fit into this category in 2016, including over 92 percent of the 50 most used applications surveyed (e.g., Google Chrome, Adobe Reader, various Microsoft Office components, etc.).
What's the best way to ensure these patches actually get applied? There are a few tips worth following:
Reduce the number of apps you use
Auditing your network is a great way to discover third-party applications you might have forgotten about and no longer need. Fewer apps means less time spent keeping up with patches and reduced likelihood of leaving something unpatched.
"Auditing your network can reveal applications you might have forgotten about and no longer need."
Consolidate and automate
If you are using multiple solutions to help you manually manage patches and other updates, there's a possibility you will get your wires crossed and make mistakes. It's usually a better idea to consolidate tools and automate the processes.
Work with a IT security partner
Through services such as customized IT consulting, a dedicated provider can help you modernize everything from your data storage solutions to your security software. Its professional team can guide you through the IT solutions planning decisions that might otherwise seem overwhelming or too complex.
Explore cloud computing services
Many cloud-based services include full management by the service provider, meaning you don't have to worry about keeping all the individual components current. Cloud solutions can also save you money that could be put toward upgrades of the equipment you do own.
In part two, we'll look at how management decisions affect cybersecurity readiness. Until then, be sure to look at our Data and Infrastructure page for more information on how we can help you stay safe, or click below to read more about patch management tips.