The importance of timely software updates

Keeping your software and your computers up to date (aka patching) is one of the most important things you can do to strengthen your cyber security posture. In 2024, the most common way attackers obtained initial access to organisations was by exploiting known software vulnerabilities. Security vulnerabilities in software are exploited within 19 days of being discovered and yet, organizations are taking over 100 days on average to install updates that fix these vulnerabilities.

The evidence is clear, installing software updates quickly makes a big difference to your overall cyber security risk. So why is it so hard to get a program in place to install updates efficiently? In this article, I'm going to explore some of the most common reasons organisations choose not to invest in a software update program and challenge those reasons with some suggestions on how to break through the barriers.

Operational risk

One of the arguments against installing updates is that they may break something. While software updates aim to fix issues in software, they can also introduce some of their own issues. While it's true this can happen, the risk is usually over-inflated.

If you ask any IT worker who has been in the industry long enough, they will all have a story about a time they installed a software update that caused a major outage and kept them from their beds for one night while they worked late to fix the issue. It's absolutely true these things can happen, but these issues are usually few and far between. I install thousands of unique software updates every year and I can count on one hand the number of updates that have caused an issue. Less than one of those each year would be an issue that causes a major business outage.

Ultimately, when you are installing software updates, you are balancing operational risk against cyber risk. The inevitable cyber-attack that comes from avoiding software updates, is going to be much more impactful than the issue that comes from the occasional software update. At least the issue from the software update is within your control. You can't choose when to have a cyber-attack and how many systems you want to impact at once.

How to manage it

The best way to manage the potential issue that comes from updating software is to perform the software updates in a controlled change window and to have good testing procedures.

If you understand how the software is supposed to work, you can test it after you update it to ensure it is still working as expected after the update.

You can control the operational risk by managing the way you deploy the software update. Deploy the software update to a test environment or to a pilot group of devices first. Test the software update in those low impact environments and then roll it out widely once you are satisfied it is working as expected.

Cost/Effort

Installing software updates can be a time-consuming process. Depending on the size of your organization and how many devices you have to keep up to date, it could be a job that requires a whole team of people dedicated full time to the task.

How to manage it

There are ways to keep these costs under control. Automation is your friend here. There are tools available that allow you to automate the process of installing software updates and even tools and methods for automating the testing and validation of updates. While there is a cost and effort involved in implementing these tools and processes, it can save you significant effort in the long run.

Not understanding where all your assets are

You can't keep something up to date if you don't know that it exists. So many organizations don't have a complete inventory of all of their IT assets. There are many famous stories of someone finding an old computer in a cupboard, turning it off and finding out the company's core accounting system is running off of it.

Even if you have good intentions of keeping all your software up to date, you can't guarantee your company is safe if you aren't confident you know where all your assets are.

How to manage it

Again, automation will help you a lot here. There are many tools out there that can scan your networks to discovery and categorise your IT assets. If you have a lot of equipment, an asset discovery tool will be key. If you are a smaller business, this may be a problem you can solve manually with a spreadsheet and some good processes to keep it up to date.

Thinking you need to patch everything ASAP

If you don't have a good process for understanding what to prioritize when installing software updates, it can quickly feel unmanageable to keep on top of a software update process.

This is another problem of scale. If you have 10 IT devices, keeping them all 100% up to date is very easy. When you have tens of thousands of devices, it's almost impossible to have all of these completely up to date at all times.

It can be paralysing to think about the effort of keeping all systems 100% up to date, all the time.

How to manage it

Prioritising based on risk is key to a successful software update process. You need to have a defined plan for how you are going to prioritize software updates.

What is a critical update for your organisation? What are the most at-risk systems? What is your risk tolerance for exposure? These are the key questions you need to answer to determine what patches you focus on first and what patches get the most effort to get installed.

For example:

• You may define a patch as critical if it is known to be actively exploited.
• You may determine that your most critical systems are your firewalls and so they should always be the first thing you patch, followed by your servers, then your desktops, etc.
• You may say that you only want to be at risk from a critical vulnerability for 72 hours, so all critical vulnerabilities need to be installed within 72 hours of an update being released.

This information gives you your prioritisation process. Whenever a new update is released, you check the update notes to see if it is known to be actively exploited and then make a plan to install it within 72 hours. If a critical update is released for your firewalls at the same time as a critical update is released for your servers, you focus on getting the firewall update installed first and then focus on the server update (assuming your software updates are all being done by one team and can't be run in parallel).

Every organisation's prioritisation process is going to be different but should align to the organisation's risk appetite.

Summary

It's pretty clear that having a solid process for keeping software up to date is a key security control for any organisation. While it can be a daunting process, the risks of not doing it speak for themselves.

Taking the time to define a good process for installing software updates will make the whole process significantly more manageable. Investing in some tools to help automate and manage the process will also go a long way, particularly for larger organisations.