You’re working on a deadline and you get a pop up asking you to install the latest security update for an application. You don’t have time to do it right now, so you click it away, telling yourself you’ll do it Friday afternoon or some other time that’s not as busy.
But a couple of months go by and that update still isn’t installed. What can possibly happen?
Just ask Equifax. In 2017, the consumer credit reporting agency had one of the most high-profile data breaches ever, with 143 million people having sensitive information like credit card details and social security numbers stolen. The breach occurred due to a web application vulnerability, a vulnerability that had been patched with an update 4 months prior to the breach, but the update was never applied to Equifax’s system.
Patch and update management is one of the key best practices that you’ll see recommended for proper cybersecurity, whether it’s for HIPAA and PCI compliance or to protect against ransomware and malware attacks.
Those “annoying” requests for updates are actually red alerts to fix a found security flaw, but unfortunately many users ignore them because they don’t want to be inconvenienced.
A majority of data breaches in 2019 were due to unapplied security patches.
Let’s take a look at why those updates are so important and common update mistakes that you’ll want to avoid.
Why Are Security Patches So Important?
It seems a never-ending battle between operating system (OS) and software manufacturers and the hackers trying to exploit their code. A new vulnerability is found, and a new patch comes out to fix it. Then the cycle repeats.
Those OS, software, and firmware updates are so important because they typically contain security patches that have been issued after a vulnerability in the code has been discovered.
Once news is out about a vulnerability, cyber criminals are racing to exploit it in the window between it being found and a patch being issued. Many of them will continue trying to breach systems months and years afterwards because they know that there are plenty of users that don’t apply those patches in a timely manner.
Top 3 Most Exploited Vulnerabilities
System vulnerabilities are used to enable data breaches and virus or malware infections, costing companies millions of dollars. Here are the top 3 most exploited vulnerabilities (and surprisingly there are still devices out there that haven’t yet been patched against them!).
CVE-2018-8174 “Double Kill” is a flaw in code that handles remote execution inside a Windows VBScript. It’s responsible for ransomware and banking trojans infecting multiple victims.
CVE-2018-4878, a flaw that targeted Adobe Flash. Even though a patch was deployed within hours, many users didn’t apply it and it’s been included in multiple exploit kits designed to deploy ransomware and other malware.
CVE-2018-11882, a Microsoft Office security vulnerability that allows arbitrary code to run when a malicious file is opened.
Common Update Mistakes
There are several ways that businesses can suffer data breaches due to non-updated devices. Here are some common mistakes that employees make.
“They’re Just Feature Updates”
Some people delay installing an update telling themselves that it’s just adding features and they don’t need them that bad and can do it later. But many updates that are released include a combination of security patches and additional features, so they all need to be applied and treated as vital.
Still Using an OS After Its End of Life
All you Windows 7 users out there could be heading for this mistake if you don’t upgrade by January 14, 2020. That’s the date that Windows 7 reaches its end of life, which means no more security updates will be released to the general public.
If you use an operating system after it is no longer receiving update support, you’re putting a red carpet out for hackers to take advantage of any system vulnerabilities. You’ll also be out of compliance with data privacy regulations.
Sharing Data with a Non-Updated Device
We often go between home and work, which means you could be accessing company data on a less secure consumer device that might not have updates in place. It can be easy to get a false sense of security if you know all your business computers are kept updated, and you might not even think twice about accessing that client file on your home laptop, but if that laptop isn’t properly patched, your data can still be at risk.
Being Worried that Something Might Go Wrong
Not all OS updates go smoothly, especially if it’s a major one. Likewise, any update to a WordPress plugin on your website can cause things to break that used to work fine. But that fear shouldn’t keep you from applying updates in a timely manner because the alternative is much, much worse.
Signing up for a managed IT services plan with a trusted IT professional can take the stress out of your updates and ensure they’re all done smoothly without any snags, and are done on time to keep your network secure.
Get Your Updates & Patches Handled!
Skillio Networks can take the stress out of managing all your device updates and security patches and keep your network protected from data breaches that try to exploit found security flaws.
Contact us today to get started and we’ll ensure all your devices are up to date. Call 1-888-926-1985 or connect with us online.