Happy Friday the 13th. October is Cybersecurity Awareness Month and this week’s theme is Cybersecurity in the Workplace is Everyone’s Business. Often it is the simple things that work the best. Running automatic Windows and Microsoft updates, and applying updates and patches for Adobe, Apple, Android, and other products often are the best way to close the door on a new exploit or attack. For instance, the Microsoft vulnerability that permitted the Wanna-Cry exploit to circle the globe in May had been patched by Microsoft in March. Only those people and businesses that had not applied the patch were affected.
As it happens, most individual and consumer systems get patched automatically without a second thought. But when it comes to businesses, most are using some sort of patch management system. Patching is often delayed to allow for testing. The reason for this is that many businesses use custom written line-of-business applications. Some patches cause these products to fail, are never applied. Often these applications run in place for years with receiving any security updates themselves. Many times these legacy applications are running on servers with out-dated and unsupported operating systems. Sometimes these applications are off-the-shelf business applications, but the company using the software has been unwilling or avoiding the expense of upgrading to the latest versions.
Decisions like these leave the company and it’s computer network vulnerable to attack and exploitation. Many time these decisions are driven by financial considerations, but in reality you are trading the known cost of the upgrade to the unknown and sometimes significantly larger cost of a cybersecurity incident or breach.
If you are tasked with running the patch management system at your company or organization, take a look at the delays you are building into the patching process. Are they really necessary? Could they be shorter? Might you be applying them sooner? Often a patch that created problems when released has either been rewritten, or the software vendor has updated their code to allow the security patch to be applied.
Then next time you have a vulnerability scan and assessment done, take a look at the unpatched vulnerabilities and decide which if these patches it is now safe to apply. October is National Cybersecurity Awareness Month and this week Cybersecurity in the Workplace is Everyone’s Business. So this is a great time to review this issue in your business.
Share
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com