According to reports, recent months have seen several massive cyber-attacks appearing to exploit out-of-date software. Unsurprisingly, the ongoing Petya cyber-attack also demonstrates that companies running older versions of Windows are more vulnerable. Across the world, Boards are asking CEOs whether these successive threats affect their organization and what is being done to prevent it.
Why do hackers target old software?
It is easy and getting easier to create malware or software that exploit vulnerabilities in your IT systems. Any software once released is going to be tested for vulnerabilities, whether to keep you safe or to exploit it for nefarious purposes. When the vulnerability is found, it is publicised by well-known organizations, most prominently Google, in order to force software vendors to address the vulnerability. Most respectable software vendors create patches quickly. But now, everyone on the Internet knows there is a way to exploit systems in your organization until you update them with the patch. Keeping software current is critical given our reliance on software.
What may be surprising is that most organizations are incredibly slow at keeping their systems up to date. It does not really matter that they have hundreds or thousands of IT staff. Actually larger organizations with huge IT teams are often the slowest to keep up. As an example, the vast majority of large organizations (over 94%) are still running Windows 7, an operating system released in 2009. Microsoft released newer operating systems in 2012 and 2015. Each release is significantly better at being secure. Also consider this - are Microsoft going to update and fix as many issues on old and out of date software as the latest one, the version they would like you to use? The cost of fixing old software is high and more often than not the vulnerability has already been fixed in the latest software, so most software vendors want you to use their latest software and for good reason.
Why is keeping software current difficult?
Your organization has hundreds or thousands of different pieces of software, and each one needs to be updated several times a year. Yet this process is often not well defined or automated, a fact amply demonstrated by how many organizations are running old software and being hacked. Acceptance of this issue is probably the largest step in addressing it. The whole organization can often be distracted by new solutions, but that should not come at a cost of forgetting about the ones you have already bought and deployed. The organization needs to accept that software is changing all the time and embrace this reality. Business users are entirely used to their mobile phones and other systems being updated all the time, so getting acceptance from the user community is not going to be a problem.
This change will not happen easily. IT teams are used to huge migration or update projects and have configured themselves in working this way. You, as the CEO, need to make it clear that your organization will now, as a matter of policy, keep all software current. It is up to IT to go figure. I would suggest at a minimum that there are three things the IT team need to come back to you with:
- Start reporting on whether all software used in your organization is current. Very few organizations look at the vendor updates available and compare to their installed versions.
- Build processes and automation so IT can update all software without touching each system, as this is very costly. This bit is important especially for Windows upgrades, like to Windows 10. Rather than earmark this as a huge one-off project, instruct IT to build automation so they can always keep their systems current. Microsoft itself does a reasonable job and there are many third parties that leverage the Microsoft solution to complete the automation steps.
- Invest in a system that enables your IT team to check if you have a problem or are being hacked and deal with it in real-time, by which I mean really fast. Your organization is constantly under attack, you need to be able to react in seconds and your current systems probably respond in days, which is simply too slow.
Staying current not only means you stop the majority of cyber-attacks, but now your organization can make use of all the latest software innovations which your software vendors have built into their product, and for which you have already paid. There is little to lose but be warned that this is a change in mindset, it can only come from the top.