If you’re reading this, you’ve probably seen your fair share of alerts reminding you to update your system. Perhaps your Windows OS has released a new update, or maybe your antivirus software needs a new patch. As frustrating as these frequent scenarios are, updates and patches are a fact of life.
Without conducting regular security patches, your company’s endpoints and systems are only as good as their current protective measures; which is problematic judging by the plethora of attacks Australian businesses have encountered in 2016. Large organisations like Big W and government agencies like the Bureau of Meteorology have suffered huge losses from hackers exploiting known security vulnerabilities.
In fact, according to Trustwave, a US-based security firm; one in seven Australian businesses fail to assess their security vulnerabilities despite considering it a top priority.
The point is, network security goes well beyond antivirus software and firewalls on company workstations. Though these systems are integral to a company’s security framework; malicious hackers could also take advantage of vulnerabilities that might exist in third-party applications; system configurations, and hardware. Applying patches is therefore critical to ensuring the security of your systems, but only after you’ve conducted an effective vulnerability assessment.
Assess your systems and controls
To perform a vulnerability analysis, you must identify and assign levels of importance for applications, data, hardware, and network resources. If vulnerabilities are found in any of these areas; you’ll be able to prioritise which system should be patched and addressed first. For example, email or cloud platforms may be mission-critical to your business processes, while servers that contain routine data might be placed lower on the priority list.
During the analysis stage, take the time to evaluate your existing security controls to determine the best combination of antivirus software, firewalls, and encryption. Remote malicious code execution, for instance, pose a huge threat to most companies, but if you already have advanced antivirus software, application whitelisting, and intrusion prevention in place, the risks are significantly lower.
Use vulnerability reporting services
After you’ve done a thorough analysis, conduct a vulnerability scan to assess your IT system for weaknesses. The scanner will typically compare your operating systems, networks, and applications against a database of known attack vectors.
The results from this test and the priority list you established earlier will allow you to evaluate the severity of an attack and classify the risks posed to your IT infrastructure if patches and fixes are not applied quickly. For example, a security vulnerability — like unpatched devices — can be considered high risk when common hacking methods can easily reach and affect business systems or data. Alternatively, a vulnerability is low risk when current systems have advanced mitigating controls, and only non-sensitive information would be affected.
Keep in the mind that if the results derived from these scans are difficult to interpret and act on, consider partnering with a professional well-versed in the technical aspects of vulnerability assessments and cyber security.
Hackers are quick to move once a vulnerability in operating systems, hardware, or applications have been publicised. In fact, just last September, a hacker managed to bypass, or jailbreak, the iPhone 7’s security features within 24 hours of its release. This makes it necessary to patch security vulnerabilities as soon as possible.
But running hundreds of security patches simultaneously can negatively affect business operations and uptime. So when patching, put your vulnerability assessment to good use and prioritise security patches for your mission-critical servers, applications, and data. According to the Australian Signal Directorate (ASD), patches for extreme risks must be applied within 48 hours of release, high risk within two weeks, and moderate or low risk within one month.
Consider patch management systems
Once you’ve established a priority list of systems and risks; ask yourself this: How exactly should you distribute upgrades to all your workstations and mobile devices?
If your company has 3 or 4 endpoints it may be cost-effective to perform updates manually. Whereas an automated patch management system allows you to mass distribute updates and standardise software, operating systems, and drivers company-wide.
A centralised remote management program ensures applications are running current updates and that antivirus software has the latest virus definitions. In case of automatic updates; we suggest scheduling high risk updates as soon as they are detected and, setting major updates outside of office hours to avoid disrupting the business during the day.
While it’s significantly more difficult to manage updates for companies with a mobile workforce and bring-your-own-device policies, it’s not impossible. With mobile device management services; you can remotely maintain, patch, and monitor business phones and tablets from a central location.
Uninstall programs and apps
Starting the New Year with clean systems also means getting rid of unnecessary programs. Commonly referred to as bloatware, these are applications that take up huge amounts of storage space and slow down workstations and mobile devices. Although these programs are harmless, many organisations ignore them, which is a security vulnerability in itself.
Updating and patching bloatware isn’t a priority for businesses; yet when low-value applications gather dust in your system, they become more susceptible to external attacks. As a general rule, if there’s nothing to update, there’s no vulnerability. Consult your IT administrator and have them pinpoint the extra applications on your endpoints and mobile devices. Then, evaluate the applications your company needs, and uninstall the programs you don’t need.
Consistency is key
Any security professional or programmer will tell you there’s no such thing as perfect code. Tech giants like Windows, Apple, and Google are constantly finding bugs and glitches that nefarious hackers could exploit. And if their systems have vulnerabilities, chances are, your organisation probably has dormant security flaws too. The best way to keep your business safe from cyber threats in the long run; is to commit to monthly — or even weekly — vulnerability scans and patches.
Vulnerability and patch management is a never-ending cycle, but don’t assume you have to do it alone. With exceptional security services from Empower IT; we make sure your organisation is running the latest updates on all its endpoints, servers, and applications. Contact us today to protect what’s important to your business.