In 2017, the WannaCry ransomware “crypto worm” penetrated more than 200,000 computers running Windows across 150 countries in a matter of hours. Upon infecting a device, WannaCry – which is still a threat, although it has been hobbled – encrypted data and demanded ransom payments believed to total billions of dollars. Bad enough, but perhaps equally frustrating was the fact that months before the attack, Microsoft had actually identified the vulnerability and issued a downloadable patch, or update, that addressed the security exposure. So why did so many devices get whacked? It turns out that many Windows users had not bothered to download and install the updates.
Companies typically spend a considerable amount of money on cybersecurity, and threats like WannaCry make that understandable. After all, CEOs do not want to see valuable information – such as passwords, trade secrets and customer records – end up on the Dark Web or anyplace else. But even today, we are constantly surprised at the number of businesses that continue to miss out on staying up to date with their software and other patches.
Patches are updates that software or operating system vendors issue to fix performance bugs or to provide enhanced security features. There is typically no added charge for a patch, and the installation and updates generally do not interfere with ongoing operations. As the WannaCry attack dramatically demonstrated, businesses and individuals that do not keep up with their patches are putting their operations at risk.
So, why do they avoid this simple security step? Some of the excuses we hear include “we forgot,” “we did not know about the update,” or “we were short-staffed and put it off” — all of which are common excuses, but very little help when systems are compromised. There really is no excuse for missing out on patch updates, especially since many outsourced IT support providers offer packages that can automate the process of hunting for updates and installing them. Besides bolstering a system’s security, this may be more cost-effective than paying staff to spend time locating and installing patches.
These automated agents can do more than hunt for and install updates — they can also monitor for compliance, tackle issues, and alert the IT support providers about any problems so they can be addressed. Integrated patch solutions will typically include audit tools that create a list of all the software residing on a system, a regression tool that checks for patches, another tool that downloads and installs them, and one that monitors for compliance — because even if a user downloads a patch, a sophisticated attacker may be able to disable it without any obvious warning sign.
Unfortunately, many businesses do not think about these kinds of cybersecurity managed services solutions because they are not considered “sexy” — setting up a basic security protocol is not exciting enough to warrant a lot of attention. At least until something goes wrong. Then, after the damage is done, the issue gets a great deal of attention. In contrast, businesses that stay on top of their patches – either manually or with an automated tool – can avoid a lot of grief, wasted time and money, and damage to their reputation.
Carl Mazzanti is president of eMazzanti Technologies in Hoboken."