In recent weeks most of you will have heard media coverage around the discovery of serious security flaws, known as Meltdown and Spectre, which affect almost every modern computer, and could potentially allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM.
I therefore thought today that it would be well worth sharing some information on not just these particular threats, but the wider issue of patching computer systems in order to protect confidential and/or personal data against the latest security threats.
Patches, also known as software fixes or updates, are released by software vendors on a regular basis and are designed to fix bugs within the software and put in place measures to mitigate newly discovered security threats. Patches are released regularly for operating systems (like Microsoft Windows) and for most business software applications, as well as for technical software such as anti-virus and backup programmes.
Applying these patches is very important for a number of reasons:-
* It helps to reduce your risk of falling victim to ransomware attacks, which, as the Wannacry attack in the NHS demonstrated last year, are extremely disruptive and can cause major business problems through downtime and loss of data, not to mention reputational damage and regulatory consequences.
* Exploiting known vulnerabilities is one of the commonest ways that cyber criminals may hack into or compromise your network. Known as “commodity attacks”, more information on types of attacks can be found in this blog. These commodity attacks often lead to data breaches and ensuing reputational damage to the business, commercial impact with customers and again, potentially serious regulatory consequences.
Which brings me nicely on to GDPR.
Just this week I was reading a blog by the Information Commissioners Office (the data protection regulator in the UK), which defines their stance around patching in relation to GDPR, and I quote:-
“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
This statement brings clarity to the importance of applying security patches to your systems in a timely fashion. However, this may not be as straightforward as it first sounds. Firstly for larger businesses with remote workers or staff who use their own laptop or device for work, there is the logistical issue of how to ensure updates (which are coming out constantly) get deployed to all these end-user devices.
There are also servers to be updated which requires a structured process to ensure technical expertise is made available, suitable testing is carried out and the updates are organised in such a way as to minimise disruption to the business, such as arranging business-friendly downtime slots should the servers need to be rebooted in order to apply the patches.
Timeliness is also an issue, since cyber criminals are now actively “reverse engineering” fixes from software companies like Microsoft, so that they work out what vulnerability the update addressed, and then exploit that vulnerability in organisations who have not yet installed the appropriate patch.
There’s then the issue of testing patches to ensure they are not going to cause a problem with other software you are using on your PCs or servers or cause your IT system to grind to a halt. There has already been much speculation around how much the updates for Spectre and Meltdown may slow down computers, and over the years I have seen several updates that have caused problems on customer’s networks. Having a roll-back plan that will work is vital to mitigate the risks when deploying any widespread PC update.
Finally, your cyber defences are only ever as good as your weakest link on any given day, so when it comes to patching, getting 99% of your devices updated is just not enough. With many cyber threats set to seek out the one device that isn’t patched, and enter your network via that device, it is vital that organisations have in place systems that give clear visibility over all devices on the network and their current patch status, and raise an alert for any device which has not been patched or where a patch has failed to deploy for any reason. It is all too easy for one computer to slip through the net if your systems for deploying updates are not highly structured – perhaps the device was turned off, the user rejected or postponed the update or there was a technical problem such as the computer running short of disk space.
I hope this article has provided a useful insight into both the importance of, and the potential complications around, patching your computer systems. Here at Connexion we have highly structured processes and methodologies to deliver patch management to our customers, which include providing timely deployment of patches to all devices, clear visibility and alerting of any device that is missing a patch, and structured change control and rollback plans to minimise the risks around patch deployment. If you would like to find out more, please do not hesitate to contact me for a no obligation conference call on 0118 920 9600 or email james.stratton@connexion.co.uk.
________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/
No comments:
Post a Comment