Here’s why you should never wait for security updates – oh and a bit about the Queen’s birthday!
As followers of British royalty doubtless already know, Queen Elizabeth II recently celebrated her 91st birthday – sort of. You see, because of the way these celebrations work, the “birthday” that the Queen has celebrated for so many years isn’t actually her birthday. Instead, it’s simply a week in early June that is roughly designated as the time to celebrate the birthday of the current British monarch. The real birthday could be – and has been – anytime throughout the year, but this small window is typically when the country actually celebrates it, and so when many people think of the Queen’s birthday, they think, “Oh, of course, it’s sometime in early June, I remember it being on the news.” Queen Elizabeth II’s real birthday is in April, actually, and you may (or may not) be surprised how many of her own people don’t realize that.
So, why the two different birthdays, and what in the world does this have to do with data security? Well, the reason for the birthday celebration is easy: It’s all about British weather. You see, the weather in England is notoriously difficult to predict, with a tendency toward rain (again, not a surprise), but of course, the country doesn’t want it to literally rain on the parade when celebrating a royal birthday. So they carefully ignore the real birthday date and plan the celebration for some time in May or June, even going so far as to put this “party” birthday down in official records. They just want a little bit of sunshine.
The data security connection is all about this curious behavior, and what it means for updating security processes. Because, you see, like Britain, many organizations find it easy to put a plan into action “when the sun is shining” instead of on the real date when action needs to be taken. Let’s take a look at why that’s such a serious problem.
The Problem of Patches vs. Apps
The Queen may celebrate her birthday in warm months because it is convenient, but businesses do not have this luxury when it comes to updating their security. It’s not a matter of picking the most convenient date: It’s a matter of recognizing that organizations don’t have a choice to delay or avoid patching their systems. There is no such thing as waiting for fairer weather. There is no gaming the system. Unfortunately, businesses have a difficult time recognizing this when conflicts arise between a noted security update and normal business operations.
This problem is exemplified perfectly when it comes to app updates and compatibility. Let’s take a look at a WannaCry ransomware example to underline the point. Say that your company depends on a particular app for operations – an inventory management tool, for example. That tool is compatible with an older version of Windows 10, which your company uses. Now, Microsoft released a security patch for WannaCry and related attacks back in March 2017. Your IT expert knew about this patch and recommended that it be applied to all Windows 10 systems in the business for protection. Unfortunately, the patch is designed for a newer version of Windows 10: It looks like you need a larger update to include the patch.
That’s a problem because the all-important inventory management app just won’t work with a newer version of Windows. You have contacted the vendor but haven’t received any news about whether an updated version of the app will be provided. So your organization sits tight on the older Windows 10 so it can maintain traditional business operations, at least for a few months…which is right around the time that WannaCry infects your network and starts hitting computers around the office that have no protection.
This happens a lot! It happened to many of the organizations hit by WannaCry, some of which were still using Windows 8 because of the aforementioned compatibility issues. So this isn’t just a theoretical issue, it’s a real problem – and one that your company must learn how to deal with.
The Importance of Immediacy
We’re going to make this really easy for you: If a decision comes to a choice between updating your operations for security and using an important app, choose the update. Every time. You can always find a vendor who is actually on top of their security maintenance or another app that accomplishes similar goals. You can’t find another way to patch vulnerabilities. Take the costs associated with the decision as part of security expenses, and move on.
We would love it if every organization could understand this. But we also know that the logistics behind this decision can be tricky. If your Melbourne & Brisbane business is struggling with older apps and security updates, Steadfast Solutions can help! Call us at 1300 739 or send us an email at firstname.lastname@example.org to learn more about our services!
Published on 7th June 2017 by Ian Brady.