Antique, vintage, throwback. These words are often used in today’s world to refer to objects that are cool, steady or unique. However, when it comes to software these are the last things you want. This blatant security risk may seem obvious, and no one likes to be taught how to suck eggs. However, an F-Secure survey throws up some surprising results, revealing that some executives seem to like playing it fast and loose with their security.
In the survey, covered on www.net-security.org, 94% of small- and medium-sized businesses thought it important to keep their software up to date. So far so good, but in fact only 59% reported actually keeping their software always up to date, and 63% reported not having the resources to keep software updated.
Keeping software at the latest versions is arguably the single most important piece of the information security jigsaw, as outdated software contains security holes that attackers can use as a gateway to your systems. In fact, some reports suggest that up to 70 to 80% of the top ten malware cases detected could be prevented entirely by keeping software up to date.
Unfortunately, one barrier to this seems to be the amount of time spent on software updates, with an average of 11 hours a week spent on this activity. This only increases with the size of the company. Even so, in popular imagination it is the OS itself that is the problem. In real life though, the OSs are often well maintained and updated. The real problem comes from third-party applications – even if they are necessary for business use (Adobe Reader and Skype are two prime examples).
Making the problem even worse is employees and the software and hardware they use. Almost half of the companies who were surveyed reported tolerating their employees using their own software, with smaller companies more likely to allow personal applications like Spotify, or the numerous personal browser plugins, etc. In many cases, employees who use their own software are also entirely responsible for the updates. This is risky, as people can’t always be relied upon to update their software themselves.
All the while, cyber attacks continue to grow via vulnerabilities in outdated software. The time to create new variants on old threats is counted in seconds, not days or weeks. Every company, therefore, should be prioritizing updates and, if not already present, implementing an update strategy to be followed by the relevant people.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”