A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the twelfth in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
Ask my wife; ask anyone I work with; I am like a broken record on this; all software updates need to be applied as soon as possible! The reason I called the company Patching is because keeping software up to date is critical to cybersecurity and is often referred to as software patching - applying software patches to software, much like you might apply a material patch to an old pair of trousers to cover a hole.
Ok, so that seems a bit over the top; why keep banging the drum? The reason is simple - you need to control what you can control. You have the ability to configure all your software and tools to behave in certain ways and enforce certain technical controls; there will be gaps, but with constant review and testing you will eventually find them and plug them. You don't however have the ability to control the code that makes up the software written and maintained by third parties, like operating systems or the open source libraries your developers might be building into your products. Nobody is perfect, so those third party software tools and libraries will have vulnerabilities (or holes) in them, that can be exploited by an attacker. When those vulnerabilities are identified and remediated, that remediation is usually deployed in the form of a software update; the sooner you apply that update, the sooner that security hole is closed!
In short, no. Conceptually grasping the importance of software updates to minimise vulnerabilities is one thing, but now you need to establish business processes and implement automated tooling to ensure that software is always up to date within a reasonable time frame; the NCSC (National Cyber Security Centre) mandates 14 days in the Cyber Essentials standard. As a rule people are mostly awful at keeping things up to date, so you need to establish some technical controls that allow you to enforce policies around updates. This will require some change management, so there are a number of considerations to keep in mind:
Device Management. The best way to ensure device operating systems and the apps installed on those devices are up to date is for them to be fully managed. Then you can use tooling like Microsoft Autopatch and device management policies to force updates through within a defined timeframe without the user being able to stop them (nobody likes waiting for updates to install)!
Mobile Application Management and Browser Management. When dealing with unmanaged devices, you can still enforce a certain element of control by using conditional access controls to force usage of managed browser profiles (in Edge and Chrome) and managed applications (such as the Microsoft and Google suite of apps). These managed apps and browsers can then have update policies applied to them which either force update, or block access below a certain version number, forcing the user to apply updates to gain access.
Not all operating systems are equal. It is worth keeping in mind that whilst mobile operating systems (iOS, iPadOS and Android) are good at enforcing app updates, desktop operating systems (both MacOS and Windows) are terrible at it as there are all sorts of different installation mechanisms beyond app stores. You will probably need separate tooling installed via device management to keep the various apps installed on those devices up to date.
Testing & Phased Rollout. The more major the change, the more cautiously it should be approached. New major releases of Windows and MacOS should not be rushed into until a few months of 'cleaning out the bugs' have increased their stability. Ideally you want to wait at least 2 or 3 minor releases before making the jump. When dealing with a large device estate the more you can roll out in phases the better, as you are more likely to catch problems before they affect everyone.
Rollback. Sometimes software updates go horribly wrong and introduce more problems than they fix. When this happens you want to make sure you have a path to rollback the update to a previously 'known good' version. This is more important for operating systems than for applications, as application vendors will usually have a faster release cadence and will often rectify the issue within hours by halting release and within a day or two by pushing a remediated version.
Vulnerability Scanning. No matter how good your processes and tools, there will always be devices or users that slip through the net. It is important to have vulnerability scanning tooling in place that identifies risky devices based on known vulnerabilities affecting the versions of software installed on those devices.
Infrastructure management. All the discussion above has been focussed on staff devices, but it applies to product infrastructure too. Do you abstract away the need to manage servers by using PaaS (Platform as a Service) offerings where you are simply buying compute and storage etc, or do you use an IaaS (Infrastructure as a Service) offering where the cloud vendor manages the hardware but you manage everything above that, in which case you need to handle updates? Maybe you don't use a cloud vendor and you operate your own server hardware, at which point all the considerations are (broadly) the same as managing staff devices and it is just the tools that differ.
Software development lifecycle. If your organisation writes software either as a product offering or for internal tools, then it is critical important to look at your software development lifecycle and processes. How do you deploy new versions to your customers or users gradually? How do you ensure open source libraries are properly maintained and updated? How do you roll back if you have issues? These are pretty standard considerations in software development and so a lot of developer tools are expressly designed with these processes in mind, but it is still important to check everything is configured properly.
Simplicity is powerful. The technology industry moves at breakneck speed and there are always shiny new tools and startups appearing on the market. One of the most important roles is to be willing to be the person who says 'no' to using yet another tool that needs to be managed and maintained, often providing only marginal benefit over existing tools. This is one of the reasons why it is very common to block most applications from being installed on managed devices and force users to use web app versions through managed browsers that block unauthorised extensions. Less applications to update and less vulnerabilities to manage! If you want to stay on top of the latest capabilities, it is worth giving serious thought to how you are going to test new tools without putting the rest of your security at risk.
Software updates are deeply unglamorous, and often a real pain, however they are critical to keeping your organisation secure, and worth the effort to automate as much as possible. Being able to automate them is also one of the biggest reasons for requiring managed devices for access.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇