Blog / Managing Cyber Security Means Updating Quickly
The phrase “stay up-to-date with the latest patches” is almost universally recognized as sound advice, not just in cyber security circles but pretty much everywhere these days, and if you’re a regular reader you know we repeat it so much around here it’s practically become a mantra. It sounds simple but if you break it down there are actually several ideas embedded in it. However, when it comes to managing cyber security for your organization, there’s one aspect of that phrase that you should take to heart and that’s a sense of urgency.
Recently, a report was released estimating how long it takes hackers to actively exploit a vulnerability once it’s been announced. A few years ago it took, on average, 42 days which meant that you had roughly a month to get a critical patch installed. However, the new data shows the average has dropped to just 12. And what’s more, because we’re talking about an average here, it’s a safe bet that a good portion of those attacks are being carried out before that.
Last year’s headline grabbing Exchange vulnerability is a perfect recent-history example. You can read about it here but in a nutshell Microsoft announced the release of a patch to fix an Exchange vulnerability, yet many organizations still fell victim to a large-scale attack leveraging that vulnerability within days because they didn’t take the patch soon enough. The cause is cautionary; bad actors pay attention to patch release notes and the details of corrected behaviors. Armed with knowledge of the vulnerability and details of its fix pointing them to where to find it, hackers were basically able to commit full takeovers using a trivially-easy exploit on a widely used platform (Exchange is basically everywhere), before many organizations had taken the patch.
Simply put, the bad guys are getting faster, which makes getting updates installed quickly (and efficiently managing cyber security in general) even more important than ever. This is especially true for anything that is either mission critical to the organization or facing the internet. An official policy that defines your update schedule is vital. Because the loss of productivity due to an update may discourage your organization from adopting one, your update schedule should to have two categories for patches: Normal patches, which happen on a set schedule that prioritizes a lack of user interruption, and Critical patches, which happen as soon as possible even if it may result in a short work disruption.
Of course there’s plenty more to say on the subject, so if you’d like help creating an appropriate update schedule or have any other questions about managing cyber security, don’t hesitate to contact us.
Shakespeare’s ‘As You Like It’ touches on similar themes for this week’s quote: “Time travels at different speeds for different people. I can tell you who time strolls for, who it trots for, who it gallops for, and who it stops cold for.”
Courtesy your friendly neighbourhood cyber-man.