In 2017, Bitsight, the Standard of Security Ratings for information systems and computing, released a report titled 'A Growing Risk Ignored,  Critical Updates' addressing the lack of relevant security protocols in over 35,000 companies from all over the world. The report (Published in the National Archive, available here to read in full) analyzed widespread bad practices that commonly lead to vulnerable networks and data breaches -

One of the worst infractions being the blatant failure to update software, including failure to apply critical updates or patches for operating systems that would mitigate known security issues within a timely manner. 

While technology has advanced tremendously since this report was introduced (as a direct response to a series of ransomware attacks, including the prevalence of WannaCry in business and government networks all over the world), the effort to mitigate these attacks hasn't stepped up to the plate. 

Months before WannaCry became a widespread problem, Microsoft had released a patch of all Server Message Block (SMB) vulnerabilities that addressed EternalBlue- one of the main vulnerabilities experts believed the bad actors were exploiting. 

Despite the patch being freely available on the Microsoft platform and companies were well aware of the update's release, many failed to download the simple fix that could have saved thousands of companies and business millions of dollars in damages over the course of serveral years. Just like that. 

The same report from BitSight discovered that AT LEAST 50% of systems used by THOUSANDS of companies tested were not only behind on patch updates, but they were running outdated versions of Internet Browsers, making them TWICE as likely to experience a publicly disclosed breach. 

Furthermore, BitSight also found that thousands of organizations had MORE than 50% of their computers running on outdated operating systems, making them THREE TIMES more likely to experience a publicly disclosed breach. 

It may seem counter intuitive if you're a business owner or the head of a largef operation to expose yourself to attacks that can cost - most often - BILLIONS in damages between recovery operations and legal damages alone, yet this is a problem that seems to be ignored more often than it is readily addressed, even if the fix is free and simple. 

There are a few reasons (not good enough reasons) to not updated the operating system, internet browser, or hardware you are using to run your business or organization. 

1. You're running irreplaceable software (or software you don't want to commission an engineer to adapt). Believe it or not, even the US government often contracts third parties to create, adapt, and maintain software for their various operations. The US government isn't alone in this, and is one of the worst offenders when it comes to using both outdated hardware and software.

There is a risk associated with contracting. The contractor must have a certain level of security clearance that will allow them to access the assets and resources needed for the project. Once the project is complete, the third party contractor is often decommissioned and the software is used as is until it cannot be used any longer. Unfortunately, that's just not how it works these days. 

If you have ever played a video game, better yet, a PC game purchased through a platform like BattleNet or Steam, you have experienced the annoying start up sequence on your desktop where Steam patches and updates all the games on your hard drive from your library. The client maintains the software, acting as a delivery network to maintain up to date versions of each game. 

This requires two components to occur successfully - a connection to the Internet at all times and a client installed to distribute the new patches and updates. 

The connection to the Internet is often where the government and companies miss the mark with security. When working with sensitive information or even local databases - such as the in-store inventory files for a small business - you may not want to be online. Being online can be a risk unto itself as you have to allow some open ports and information transfer.

Recent updates to most databases converted files from the old save states to a fluctuating state that is updated from a the main database, such as your vendors inventory. Any pricing changes or serial numbers that may update on their end will automatically apply to those products from that vendor in your database to allow for point of sale and inventory systems to update in real time with any changes made. This change made a lot of the older file extensions obsolete. So what do you do if you need to use the software but can't access any of the data because the new system update is incompatible? 

The answer is to come up with the solution before that even becomes a problem. It may sound like a cop out, but it's true. To maintain security, you must anticipate future risks and address them accordingly. This is essentially what Microsoft did with the patch that would have saved so many from WannaCry, but because the companies themselves didn't anticipate the future risks or holes in their current setup, they were caught with their pants down. 

Call your IT department or hire third party contractors to reformat your files to be compatible with new updates and patches, push operating system and security updates through as soon as possible when they are first announced. Plan for any downtime that may occur during holidays or closures / non business hours.

The biggest excuse used is incompatibility issues or fear that older programs may not run with newer patches. There will always be updates. There will always be exploits. Anticipate them and plan accordingly. Before you're next on the ransomware hit list. 

2. Hire an independent Information Systems Security specialist to audit your network, databases, and computers within for critical issues and potential exploits that can be fixed before someone with a more malicious agenda finds out they're there. If you have your own security team, it is still recommended to get an independent second opinion as we are only human and one team may spot something the last team missed (or didn't think to test.) 

3. If you're concerned about losing access to critical information or databases from updates, create backups, and read patch notes closely for patches and OS updates. Patch notes are typically available in advance depending on what operating system you use. Help make decisions with your IT department (if you have an internal IT department) by holding a quarterly meeting to discuss potential security threats and what can be done to enhance security throughout your network and each computer connected to it. 

4. ALWAYS KEEP THE BACKUP AND BACKUP OFTEN. There is no hard and fast rule as to how often you should backup a project or database, but, depending on how often updates or changes are made, weekly or monthly backups are the most common best practice.

Keep backups on an encrypted external drive to ensure that they cannot become threatened by malware that can spread throughout online databases.

These days, you will typically keep two sets of backups, one on an external drive and one on a cloud server. 

Any time I make this suggestion, I think of the 2022 catastrophe that was my old credit union's online banking system and app, Vystar. They were desperately in need of an overhaul and started updating the mobile app and online banking system itself. The update process began in December of 2021 and didn't see resolution of any kind until almost June of 2022 due to the third party contractor that had been working on the app launching the new update prematurely before issues started to show themselves..and prematurely also deleted the backup of the old app, which wasn't great, but it worked. 

5. Invest in security software or monitoring. This is more of a suggestion for larger companies and businesses that have several computers connected to a mainframe or a widespread network. Security suites aren't cheap at the enterprise level but can save companies millions in digital damages and lawsuits by alerting IT departments of threats and deploying fixes or measures to mitigate them before the threat propagates and causes major damage. Just like anything, you must weigh the cost, risk, and reward for your business or organization before investing in security of this caliber, but for companies or organizations dealing with large amounts of transactions containing sensitive data, it will always be worth it. 

6. For smaller networks, consider using a VPN and teach employees best practices. There are several VPN providers out there that can add an extra layer of security over your servers and online databases, ensuring that information that can be used to exploit individual systems and monitoring threats from various pain points, such as remote access. Enforce regular password updates for individual accounts regardless of security clearance and limit access to sensitive business assets to those who NEED access to them for their regular job description. 

These tips can't prevent all attacks as the field is constantly moving forward and the introduction of new patches, software, and updates are always going to be one step behind those who wish to exploit their flaws. Business owners and companies must be vigilant, and the bare minimum isn't ever enough, but it's better than nothing.

Don't put those patches or critical security updates on hold, upgrade operating systems as they become available to protect against long standing exploits, and schedule updates and patches regularly to maintain the most secure state of your systems.