Patching our attitude to patching

Powered by SC Magazine
 

Even if you don't care about your own security, spare a thought for everyone else.

Most of us -  at home, in small businesses, in multinationals - know perfectly well that patching our computers is one of the most important things we can do for our own online security, and for the security of others.

It goes without saying, though I'll say it anyway, that we ought to be prompt in applying software updates which fix security holes the Bad Guys already know about.

The problem is that, very often, we're tardy in patching.

This leaves plenty of vulnerable computers for cybercrooks to exploit to do their dirty work. Whether it's zombie malware on your home PC which is spewing spam, or an unsafe web server at your business which is serving poisoned web pages, you're putting yourself and everyone around you at risk.

Why? What makes us unwilling to make the often-trivial effort to immunise ourselves against well-known but already-preventable cyberdiseases?

Some people don't take computer security seriously because they don't see themselves as part of the problem. (Mac users are particularly vulnerable to this school of thought. They assume that the limited amount of Mac malware is a side-effect of inherent resilience in their operating system, rather than merely that the crooks haven't focused much on them yet.)

Don't make this assumption. Even if you don't care about your own security, spare a thought for everyone else who might get affected if you inadvertently become part of the problem.

Others are reulctant to patch because they're understandably fearful of change. What if the patch merely makes things worse? What if the patch needs a patch? Why not wait for other people to go first and see how they get on?

But a little reluctance goes a long way. If you're a business system administrator, by all means wait a while, do your "due diligence" and try patches on a few test devices first. Just don't take too long.

Plan to be able to change quickly _anyway_, not just for security reasons. Plan to be able to roll out patches quickly and to unroll them equally quickly if needed. That sort of nimbleness will make you much more resilient in any future IT emergency. Learn to patch in days, not months or weeks.

And some companies don't patch because they rely on legacy applications which simply aren't being kept up-to-date and which break if brought into the present day.

Don't stand for this in your organisation.

If you have a software vendor who insists on you living in the security past (for example, by requiring you to stick to Internet Explorer 6), give them the boot _immediately_.

Take the pain of change now, on your own terms, before the crooks make you feel the pain on theirs.

When you're spending money on software, invest in developers who care about security at least as much as you do.

Copyright © SC Magazine, Australia


Patching our attitude to patching
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1789

Vote
Do you support the abolition of the Office of the Information Commissioner?