Patching our attitude to patching

Powered by SC Magazine
 

Even if you don't care about your own security, spare a thought for everyone else.

Most of us -  at home, in small businesses, in multinationals - know perfectly well that patching our computers is one of the most important things we can do for our own online security, and for the security of others.

It goes without saying, though I'll say it anyway, that we ought to be prompt in applying software updates which fix security holes the Bad Guys already know about.

The problem is that, very often, we're tardy in patching.

This leaves plenty of vulnerable computers for cybercrooks to exploit to do their dirty work. Whether it's zombie malware on your home PC which is spewing spam, or an unsafe web server at your business which is serving poisoned web pages, you're putting yourself and everyone around you at risk.

Why? What makes us unwilling to make the often-trivial effort to immunise ourselves against well-known but already-preventable cyberdiseases?

Some people don't take computer security seriously because they don't see themselves as part of the problem. (Mac users are particularly vulnerable to this school of thought. They assume that the limited amount of Mac malware is a side-effect of inherent resilience in their operating system, rather than merely that the crooks haven't focused much on them yet.)

Don't make this assumption. Even if you don't care about your own security, spare a thought for everyone else who might get affected if you inadvertently become part of the problem.

Others are reulctant to patch because they're understandably fearful of change. What if the patch merely makes things worse? What if the patch needs a patch? Why not wait for other people to go first and see how they get on?

But a little reluctance goes a long way. If you're a business system administrator, by all means wait a while, do your "due diligence" and try patches on a few test devices first. Just don't take too long.

Plan to be able to change quickly _anyway_, not just for security reasons. Plan to be able to roll out patches quickly and to unroll them equally quickly if needed. That sort of nimbleness will make you much more resilient in any future IT emergency. Learn to patch in days, not months or weeks.

And some companies don't patch because they rely on legacy applications which simply aren't being kept up-to-date and which break if brought into the present day.

Don't stand for this in your organisation.

If you have a software vendor who insists on you living in the security past (for example, by requiring you to stick to Internet Explorer 6), give them the boot _immediately_.

Take the pain of change now, on your own terms, before the crooks make you feel the pain on theirs.

When you're spending money on software, invest in developers who care about security at least as much as you do.

Copyright © SC Magazine, Australia


Patching our attitude to patching
 
 
 
Top Stories
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  11%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 292

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  60%
 
No
  40%
TOTAL VOTES: 107

Vote