Remind me later - the dangers of ignoring security updates
Have you ever pressed the ‘remind me later’ button when asked to update your software?
Of course you have – we all do it.
Whether it’s because we’re in the middle of something important or because we just can’t be bothered, it’s an increasingly dangerous attitude to have.
Mobile apps, operating systems, servers, browsers, software; these all need to be updated on a regular basis. As well as providing new features, updates also include patches to fix newly discovered security vulnerabilities.
Attackers can quickly reverse engineer any updates to expose these vulnerabilities and the time between patch release and potential attack is getting faster all the time. The speed of patching is critical and the more you click the ‘remind me later’ button, the more chance of you have of becoming the victim of an attack.
WannaCry was a perfect example of this in action and a ransomware attack on unpatched and out of date systems was launched one month after the SMB exploit Eternal Blue appeared on the web. 10,000 organisations and 200,000 individuals in over 150 countries were ultimately affected, including the NHS.
As a result 19,500 medical appointments were cancelled, GPs were locked out of computers and five hospitals had to divert ambulances elsewhere.
The route in: one unpatched web application. That’s all it takes, one computer running a legacy OS, one unpatched server, one insecure device and attackers can get in.
Regularly updating is one of the key issues, but there's an even more pressing one. The issue of unsupported, vulnerable operating systems still being used in organisations. This includes Windows XP, an OS which Microsoft stopped supporting in terms of security updates in 2014.
Surely, no organisation can be still using Microsoft XP, I hear you ask. Well, you’d be amazed. In 2016 it was estimated that 90 per cent of NHS trusts ran at least one Windows XP system; in 2017 the Royal Navy’s £3.5bn aircraft carrier HMS Queen Elizabeth was reported to be using the system; and a survey by CyberX showed that three out of four industrial sites are still using obsolete Windows systems.
In fact, it seems to be quite common and an OS Adoption Trends survey showed that 52 per cent of businesses are still running at least one instance of Windows XP in their organisation.
Updating your operating system is the obvious answer and for many organisations it's a mindset of ‘if it ain’t broke, don’t fix it’ that’s stopping them. If this is the case then companies need to be aware that the cost of a new OS may pale into insignificance in comparison to a data breach and the resulting fines under GDPR.
But for some it’s a bit more complex. Budget and resource restrictions play a part, as well as the fact that sometimes updating just isn’t an option as the kit being run (i.e. £50m MRI scanners) can’t be replaced.
There’s also the fear of downtime and whether updating OS will bring down your critical operations. In this case companies need to take alternative action by isolating vulnerable systems as much as possible and increasing protection through firewalls.
As you can see, security updates are vital in protecting your organisation so, if you are running supported software, next time you see the update software button pop up think twice before pressing remind me later.
Four practical tips for updates:
- Implement a robust update schedule and verify that all machines within your organisation are up to date with the latest versions of software
- Automatically schedule your patches outside of office hours, that way nobody can press the update later button. If you have to schedule updates during working hours limit the amount of times users can delay the patch
- When systems are critical you may wish to test patches in a test environment first. This way you can see if an update is safe to install on your live system
- If you are unable to patch, for whatever reason, you need to isolate as much as possible and increase security measures around the vulnerability