Blog / The Importance of Staying Up To Date
What does that mean for IT security?
One of the most common mantras in IT security is “Stay up to date.” You’ll find it in every set of tips because it’s pretty much a standard recommendation that gets made in every facet of IT in general. Generally speaking, this is intended to mean that you should keep your software and devices up to date with any updates and make sure to apply the important ones with an appropriate degree of haste. The truth is, it’s a bit more then that.
The thing about computers is that they are changing, constantly. New software is being created all the time, updates are made to existing software, and old software is phased out. Even then, that’s only half the picture. Hardware is constantly being reengineered with new CPUs and faster memory. Most people don’t realize all the different parts that go into a computer and how quickly changes happen.
Staying up to date is more then simply applying patches or installing updates. It means keeping tabs on news and information that’s important and affect your organization. For example, knowing that your organization is supposed to follow PCI-DSS regulations (any organization that accepts payment cards of any sort needs to follow it) is one thing but knowing that PCI-DSS underwent a major update just this March (about 2 months ago) is part of staying up to date.
Part of my job as TRINUS’s lead cyber security technician is to watch for news or events that impact us or our Customers. To that end I’m regularly looking through the news for things that could impact security, like a Botnet attacking Watchguard firewalls (read up on Cyclops Blink if you’re curious) or some security flaw in Exchange that being actively exploited (Proxylogon… that was fun). I also keep tabs on regulatory and legal requirements like PIPEDA and PIPA for example. That’s before you even start talking about updates to software, and it’s just part of staying up to date.
With that much information it’s easy to get lost, but you can always ask “How does this affect my organization?” to help filter out the noise. Industry standards for things like password length and complexity have changed in the past few years. Multifactor factor authentication used to be considered optional and now it’s become standard. You should be aware of these changes. You may keep personal information so you should keep up with changes to PIPEDA and PIPA, but if you don’t take electronic payments, you don’t need to worry about the latest changes to PCI-DSS.
Most of the recent regulatory and legislative changes have shifted the responsibility of computer security. In past versions of most legislation it was the responsibility of the organization to come up with policies and procedures, and it was the employee’s responsibility to enact and follow them. Failures could easily get pinned on individual employees. The updated versions of many of these make it clear that the overall responsibility for security lies in the hands of the organization’s leadership and upper management.
Simply making some official policy isn’t enough. When it comes to computer security policies can’t simply be on the books. They need to matter, get communicated to staff and get practiced. It’s not enough to have Policy XYZ to cover certain situations; too many organizations followed the legal letter of the laws rather than embracing their spirit. Now the rules are catching up. That’s what staying up to date is all about.
If you’d like help bring your cyber security policies up to date with current legislation, contact a TRINUS expert today.
This week’s Shakespearian quote comes from As You Like It: “The fool doth think he is wise, but the wise man knows himself to be a fool.”
Be kind, courtesy your friendly neighbourhood cyber-man.