You've heard it before, "Keep your apps updated!"

But why is this so important?

Here's something to consider: that pop-up asking you to update an app? More often than not, it isn't a fancy new feature or a change to a user interface. It's usually a software vendor desperately trying to fix a security issue.

Here's typically what's happened behind the scenes:

  1. An ethical hacker (the good guys) discovered a vulnerability in the software.
  2. They reported it to the software provider.
  3. The software provider's team is now racing to patch this hole to prevent the bad guys from actually exploiting it.

By clicking "Update Now", you're essentially slamming shut a door that a cyber criminal could have walked through.

For example, at 80with20 when we perform a penetration test or security assessment on a business, one of the first things we do is reconnaissance.

This means we use a variety of techniques to identify as many of the components of technology your business uses to operate. We then look at the version numbers of everything we find and cross-reference this with databases like Exploit-DB which is like a huge catalogue of known security vulnerabilities and the tools to exploit them.

If we find outdated software, we might be able to download a piece of code that literally allows us to click "run" and gain access to your system. It's one of the few times that hacking can be just like in the movies - except in this case, we'll be on the phone to you immediately to let you know and help fix the issue.

Now imagine if a malicious hacker found this before you patched it.

But one thing we know for sure is that people don't update apps. It's boring, you're busy and sometimes, it's not even that clear what needs updating or how to do so. Furthermore, you might have other bits of hardware dotted around the business that you don't regularly use or log in to which you'd never know even needed an update.

  However! Don't just hit the update button willy nilly!

While staying up-to-date is crucial, it's not always as simple as clicking "update" the moment you see it.

Sometimes, you need to patch immediately due to known exploits out in the wild. Other times, it's wiser to wait a few days and let the rest of the world be your guinea pigs. This pause can reveal any unforeseen issues - both security and functionality - that might come with the new patch.

Additionally, if your business relies on heavily customized software, it's smart to test updates in a test environment first. This ensures the patch plays nicely with your specific setup before you roll it out company-wide.

The key is to strike a balance: be prompt with critical security updates, but take a measured approach when the situation allows. A combination of your IT team and your software tools can help decide if/when a patch should be rolled out.

 Implementation Plan: 

  1. Choose Your Weapon: Select a patching tool that fits your business size and needs.
  2. Roll It Out: Implement the tool across your entire business. This might take a bit of time, but it's worth it. Make sure every device, from office computers to that old printer in the corner, is covered.
  3. Future-Proof It: Set up your tool to automatically include any new devices or users added to your network. This way, you won't have to remember to add them manually every time.
  4. Keep an Eye on Things: Make sure your chosen tool is set up to give you regular reports. These reports should show you if any devices are falling behind on updates. It's like a health check-up for your tech.
  5. Spread the Word: Include a quick intro to your new patching system in your employee onboarding or next team training session. Let everyone know it's there, working quietly in the background to keep the business safe.

 

Essential 8 Maturity Levels

Climbing the Security Ladder In the Essential 8 framework, you can achieve different levels of security maturity. The good news? Sometimes, it's just as easy to reach a higher level as it is to achieve the basics. Here's how that plays out:

To hit Level 1, you need to:

  • Patch critical vulnerabilities within two weeks for most applications
  • Remove any applications that are no longer supported by their vendors

But here's the kicker, if you automate patching, you can reach Level 2:

  • Patch critical vulnerabilities within 48 hours for internet-facing services
  • Use vulnerability scanners to spot missing patches

And if you're feeling ambitious, Level 3 is even within reach:

  • Patch all critical vulnerabilities within 48 hours, regardless of the application type
  • Use automated methods for asset discovery and vulnerability scanning

The jump from Level 1 to 2 or even 3 often doesn't require much more work, and the software you're using can often handle the requirements for higher levels right out of the box.

Keeping your applications up to date is one of the most affordable and effective methods of securing your business. Installing a security update is basically getting free cybersecurity consulting from a big software company! Take advantage of it!

Want to Know More?

  1. Patch Applications: Keep your software up-to-date to fix those pesky security holes.
  2. Patch Operating Systems: Same deal, but for your computers' core operating system.
  3. Configure Microsoft Office Macro Settings: Stop nasty code hiding in seemingly innocent documents.
  4. User Application Hardening: Lock down your everyday software to make it harder for the bad guys.
  5. Restrict Administrative Privileges: Not everyone needs the keys to the kingdom.
  6. Multi-factor Authentication: Add an extra layer of security beyond just passwords.
  7. Regular Backups: Because sometimes, you need a plan B (or C, or D).
  8. Application Control: Only run the software you trust.