The hidden risks in not updating your technology
As a business owner, it’s a relief to purchase software and technology, set it up and let it run. It’s as if once you’ve completed that task you can check it off and move on to face the ever-growing list in front of you. But just as your to-do lists grow and change throughout the weeks, months and years, so do software and security threats.
When it comes to technology solutions, unfortunately, a set-it-and-forget-it mentality won’t do. The best comparison is with changing your home air filters. Wait, what’s a home air filter? Many of us move into a home and never think about them until our eyes are watering, we’re sneezing, and cannot understand why we feel worse indoors than outdoors. The air filter is the tiny layer of out-of-sight protection that affects every room in the house, and when we neglect it and run the heat or air conditioning, we are allowing tiny allergy spores to inhabit our lungs.
Just like those pesky air filters, computer software needs regular updates. Every time you boot up a computer with an out-of-date product running in the background, you are exposing your business to potential hacks. Failure to keep up with software updates impacts user productivity and creates an increased risk of unavailable or exposed customer data.
When software is out of date, its security licenses are out of date as well. This creates areas of vulnerability that hackers find and exploit. But how do cybercriminals find and target your business? In 2020, hacking is very sophisticated. Hackers look for an opportunity like an end-of-life announcement and then go after businesses that have not updated their software.
A great example of this happened three years ago with the WannaCry ransomware attack. It exploited organizations that did not patch their systems or were running an end-of-service Microsoft operating system. WannaCry exploited vulnerable systems and infected them with ransomware, which caused an estimated $4 billion in damages.
The damage could have been avoided had the software in all of these organizations been updated. Many businesses, however, wait until it’s too late before they make the necessary updates. Often this is because of budgetary restraints, but the damage can cost more than the software in the long run. Accenture’s latest State of Cybersecurity Report found that the current average cost per attack for businesses is $380,000 per incident. IBM’s Cost of a Data Breach report places the full global cost of a breach at 10 times that — $3.86 million. Regardless of the size of your business, these kinds of costs can be devastating.
Just as important as software that is loaded onto a machine is the software inherent in the hardware of the device. The date on this critical software is the date the hardware was put into service by the vendor, meaning it is only aware of software and application versions that existed prior to the hardware’s “in service” date. If this software isn’t updated, it will not be aware of upgrades, patches and advancements in software and applications, making it a target for malicious actors who want to gain access to critical systems. It is important to get firmware updates from vendors for their systems and know when they will stop receiving these crucial updates.
Keeping up to date
Make sure you stay up to date with product announcements from software vendors. For example, Microsoft ended support for its Windows 7 operating system in January 2020, noting “If you continue to use Windows 7 after support has ended, your PC will still work, but it will become more vulnerable to security risks and viruses because you will no longer receive software updates, including security updates, from Microsoft. Microsoft strongly recommends that you move to a new PC running Windows 10 to avoid a situation where you need service or support that is no longer available.”
Microsoft recently released a few more updates that may leave many companies trying to figure out what to do next and how it affects them. Here are the critical announcements starting with some key dates closely approaching:
• Microsoft 365 apps and services will stop supporting Internet Explorer 11. This starts with Microsoft Teams on November 30, 2020. The remaining Microsoft 365 apps and services will stop supporting Internet Explorer 11 on August 17, 2021. Per Microsoft, this means “customers will have a degraded experience or will be unable to connect to Microsoft 365 apps and services on IE 11.” (IE 11 itself is not going away, but the web-based services widely used by enterprises will not support it.)
• Microsoft will end support for the legacy version of its Edge browser, which will no longer receive security updates as of March 9, 2021.
Systems and technologies need to be continuously scanned for vulnerabilities, since these can be loopholes for cyberattackers to pose threats and gain access into your organization. And so, once Microsoft discontinues support, it will open up the gates for potential threats, leaving businesses even more vulnerable to an attack and unexpected costs.
Approaching aging or outdated technology
Patching current technologies is a regular practice for most businesses, and it works well. Unfortunately, the ability to patch will run out at a certain point, so it is essential to understand the lifecycle of the technology being used and be aware of timing for the next version. But keeping on top of this requires devoted time and effort, which means there should be a dedicated person or team working on the newer version of the operating technology while your company is still on the older version. This way, the transition is not abrupt, but thoroughly planned.
With that in mind, think about the broad range of technologies in use today: Chrome, Firefox and Edge browsers; Windows 10, Devon, Ubuntu, CentOS and Linux operating systems; Dell, HP and Lenovo hardware, to name just a few. All of these have individual lifecycles that require proper preparation for any update or change. No technology is exempt from this, and the Microsoft announcement is just one reminder. Eventually, all technology ages out, and technical support, including updates, comes to a halt entirely. Lack of awareness of this, and a failure to stay in line with or ahead of hardware and software lifecycles, is where most threats to your business live. By implementing a secure lifecycle approach, your business will be better prepared for any upcoming changes and concerns addressing the technology lifecycle.
Vulnerability management is the process of proactively identifying, remediating and mitigating security vulnerabilities within the IT landscape. The key stages to consider include:
Discovery: Identify all critical components of asset inventory to prepare for scans and tests to ensure your foundation is secured. Be sure not to leave out any assets.
Asset Prioritization: Thoroughly map out your network and organize the assets, drilling down to the relevant details such as what software versions are being run on individual systems.
Assessment: Prepare security measures by performing a vulnerability assessment that reviews the entire system and identifies the gaps, from the highest to lowest risks.
Reporting: Measure and gather findings on the level of risks associated with your assets, ensuring configurations match according to security policies and are compliant.
Remediation: Prioritize and fix vulnerabilities with necessary configurations and updates to establish controls and show progress.
Verification and Monitoring: Check up on threat and risk audits and ensure continuous monitoring routines are in place.
Vulnerability management is a neverending cycle that will ensure organizations are proactively reducing their risks and, ultimately, exposure. Always remember that security is not a set-it-and-forget-it program. A layered approach to the security lifecycle is necessary for greater strategic impact and improved protection. This is accomplished by creating an interwoven network of protection that prevents unwanted intruders from accessing (and even lingering for long periods of time) within your system.
We recommend a comprehensive process with a layered approach to security that encompasses systems implementation, testing, monitoring, vulnerability management and compliance. Some actions that will help address critical security challenges and prevent any future vulnerabilities include:
Managed Security Awareness Training (MSAT): Educate your users to protect the business. Employees are your greatest asset, but also your greatest weakness if they are uneducated about threats designed to trick them.
Continuous Vulnerability Scanning: Reduce the amount of risk in your network. Think of it as making sure all your windows and doors are locked in your home. That is exactly what scanning does.
SIEM Log Monitoring: Compare this to your home alarm; normalizing, alerting and escalating all anomalous activity on the network. This feature provides user behavior analytics (UBA) to flag large file size transfers or users logging on at odd times.
This multifaceted strategy makes your business stronger, and just like maintaining the air quality in your home by regularly changing air filters, allows you to remain secure and better prepared for the future.