For many of us, the files on our computers and servers are our business. Without them, everything stops, and we can’t do our jobs or serve our customers.
So when hackers take control of our files, it’s a big deal.
That’s precisely what happened in May of this year, when the Wanna Cry attack shut down thousands of businesses. In this ransomware attack, hackers demanded about $300 worth of bitcoin to release files, with the threat of permanently deleting them. This attack, noted as the biggest cyberattack to that point in history, impacted 200,000 victims in 150 countries.
Unfortunately, stories about hacks, phishing, and ransomware aren’t that uncommon. But there was a nugget in the Wanna Cry story that should stop your business’ C-level executives in their tracks:
Microsoft released a security patch that would shut down the vulnerability exploited in Wanna Cry in March. The Wanna Cry attack didn’t start until May.
That means every victim of Wanna Cry had two months to update his or her software—and completely shut down the attack before it began.
It’s no surprise that so many people failed to make this update. We have seen a pervasive tendency for individuals and companies to fall behind in updating their operating systems, language and framework versions, and security patches.
Why do people do this? Here are some of the common excuses:
It takes time and (often) money
At the very least, it takes download time and a system restart for a minor update. Multiply this by dozens of machines, and the time investment for staying up to date is significant. When you’re talking about a language like Python or a framework like Django, you will likely need a software engineer to accomplish updates. This system maintenance prevents other projects from starting or moving, and also can drain capital expenditures that could be used on feature upgrades and other more public-facing changes.
Onerous policies bog down updates
In some companies, IT departments need to review every potential software update and assess whether it’s necessary. It’s important for IT to understand all aspects of software inside a company’s environment, but if the approval process drags because of red tape or manpower problems, then well-intended policies can actually become a source of vulnerabilities.
Updates can clash with legacy software
Sometimes there’s a legitimate reason not to install updates—because they will break integrations with other business-critical software. For example, what if your legacy ERP will only work in an older operating system like Windows XP. (This is more common that you thing, because we encounter many companies that use ERP systems that are 20-plus years old.) When Microsoft stops supporting XP with regular security patches, your company ends up with vulnerable software and no way to fix it without a massive ERP upgrade project.
You’re already too far behind
When these first three things happen, it’s easy to fall behind, to the point that updates will take a user, group, or even a whole business down for a significant amount of time. When you run into this kind of technological debt, then it’s an even bigger deal—one that can’t be fixed without an investment of time and resources. We have worked with clients that fell into this situation when it comes to Python and Django versions. They fell so far behind that they could no longer update their existing web applications, and had to spend several months and tens of thousands of dollars to catch up so they could continue to make forward progress. The interest rate on their technical debt was steep.
These excuses aren’t arbitrary. There is business logic behind them. But ultimately, falling into these excuses leaves your business at risk. So what should you do?
The Key to Staying Up-to-Date:
Create a rhythm of updates
The best way to avoid technical debt is to be proactive. On a regular basis, seek out updates and install them. If you’re behind, catch up and then stay ahead of the game.
At Worthwhile, we offer clients ongoing support plans that include version and security updates. Each quarter, we install updates and confirm that they’re working, to make sure our clients don’t fall behind. Smart companies see this value of this kind of regular rhythm of searching out and installing updates, and they know that it’s much easier to do this proactively than reactively. This isn’t the only approach to staying up-to-date, but it’s one our clients have found helpful.
Of course, you will need to be reactive at some times, as critical patches are released. But a proactive approach will make this an exception, and not the rule, which will make it easier to react quickly when it’s required.
By staying up-to-date on security patches and version updates, you won’t want to cry when you try to access your files (or balancing your books).