Why software updates are your friend not foe

Show notes

Dom: (00:00)
10 minutes, checking for updates every week could save you hours and hours and hours of lost working time, uh, or even lost data if you get hit by a virus or some kind of ransomware.

BBC News report: (00:13)
It looked at first like an attack just on hospitals in the UK but it’s now becoming clear that this malicious software has run riot around the world. Russia, the United States, and many points in between had been hit by what’s now a common form of cybercrime.

Ash: (00:31)
Welcome to cybersecurity demystified where we explore the cybersecurity threats that your small or medium sized business can face and give you some easy actionable advice to make your business more secure. My name is Ashley and I’m a small business owner who didn’t take cyber security seriously until my business was hacked.

Dom: (00:48)
I’m Dominic, a cyber security expert whose experience in the big corporate world has been really helpful for smaller companies.

Ash: (00:55)
So this episode we’re talking about updates. So tell me a bit more about that, Dom.

Dom: (01:00)
Well, to me, software updates are the equivalent of changing your password. When a, uh, a bug or a, a weakness is found in some software, you need to update it to close that bug, to close that vulnerability and ensure your computers remain secure.

Ash: (01:15)
Okay. But I use a lot of software, the Adobe set of packages for video and photography, et cetera. And I’ve been told not by cybersecurity experts but by people thinking more about video workflow that I shouldn’t update to the latest version of software until the bugs have been ironed out. Are they talking about the same bugs that you’re talking about?

Dom: (01:36)
No. They’re talking about new feature bugs typically, which are introduced by someone quickly updating software. What I’m talking about are errors, really the errors in the code that allow somebody to exploit your system. There are, there are different kind of updates as well. There are critical updates and high priority updates that you should apply straight away. Just just do it immediately. Uh, typically because there is a known exploit out in the wild, out on the internet that’s being sold or shared amongst hackers and other criminals to hack into, to exploit. Then there are also feature updates. They give you something new to the system rather than fixing a vulnerability that exists today.

Ash: (02:21)
Right. Okay. So I’ve got software on my computer, but my website’s on WordPress and I’ve seen that that has updates, which I think happen automatically.

Dom: (02:29)
Yeah. So updates can be for everything from your operating system to the applications on your computer to the software that runs the internet, WordPress or email servers. Some of these systems will update automatically and some don’t. Quite often WordPress as an example, it started in a started quite recently, automatically updating, but older versions of WordPress don’t automatically update.

Ash: (02:54)
And actually the hack that I had with my business was a bit complicated, but parts of was a hack with a plugin on WordPress, I believe rather than WordPress itself. So you’ve got various things on your WordPress site, not just WordPress itself.

Dom: (03:07)
Well, plugins are additional software applications that sit on top of WordPress and they need to be updated independently of of the WordPress application itself. And again, some will do it automatically, some won’t.

Ash: (03:23)
Okay. So I understand how that’s relevant to my business. But thinking a bit bigger than this, I remember a few years ago with the one or cry hack that was ransomware, which isn’t to do with updates, but actually didn’t that come back to a situation that was about updates?

Dom: (03:38)
Well, ransomware is the, the result is a possible result like a, a virus infection of, of any kind. But what happened there was that these larger organizations, the NHS as a great example, hadn’t been updating their software regularly. Uh, and so a known vulnerability in the software they were running was exploited to install ransomware and then to effectively to encrypt their computers.

BBC News report: (04:04)
The irony is that security experts think a hacking tool allegedly leaked from America’s national security agency in April may have been used by the attackers. Microsoft warned about the threat this vulnerability posed, but said anyone who’d installed a security update to windows software the previous month would be okay.

Ash: (04:24)
So does that kind of indicate that a lot of the time with cybersecurity it’s about doing things in advance of them becoming an issue rather than having to deal with the result of a hack?

Dom: (04:37)
Yeah. Updates are a preventative maintenance in the same way you take your car in to be checked over or you go for it. You go to your doctor once a year to have a checkup. Updates are preparing yourself and preventing hacks and breaches before they happen.

Ash: (04:54)
Right. So moving on, Dom. Let’s, let’s move to the solution. So what are the key things I need to be considering? We’ve covered a few already in covering what the problems are, but focusing it back,

Dom: (05:05)
well, there’s, there’s lots of different things, uh, and, and different software behaves differently. I’m sure everybody has experienced windows updates at some point. Normally when you shut down your computer and you’re in a rush and it says updating and it says updating for 10 minutes or 20 minutes and it’s, it’s really annoying. Um, but it’s, you know, windows 10 is really helping you there.

Ash: (05:28)
But I know on my Mac for example, that computer has to be plugged in and it takes a long time to do it. So I know I’m guilty of pressing, remind me tomorrow, remind me in two days, remind me in four days and two weeks has gone by and I still haven’t done it because we’re always busy.

Dom: (05:45)
Yeah. Don’t know what to say about that.

Speaker 2: (05:52)
Yup.

Dom: (05:53)
Yes. Everyone’s busy and no one really gets any new feature out of these updates. It doesn’t allow you to do anything new. It just protects you from something you don’t necessarily even understand.

Ash: (06:02)
Yeah. Yeah. It’s funny that that feature benefits cause I’ve no longer got an iPhone, I’m now an Android user, but I know their updates, they almost made them exciting cause it’s like your phone is going to fundamentally change and do all this exciting stuff. Is it perhaps the case that people that are a bit boring, I don’t really understand how that works. And actually they’re more captivated by the features updates than they are by the more regular security updates.

Dom: (06:27)
That could be true. And that goes back to your earlier point that, you know, feature updates are not urgent. Um, so waiting for an update that’s going to provide you some new feature may leave you exposed to a threat or a vulnerability for a lot longer than you need to be.

Ash: (06:45)
Right. So I can see this as important, but in a small business, I’ve got, I think nine computers in my business and five members of staff who should be responsible for this.

Dom: (06:58)
Well, in a larger organization that has an it team, it’s really easy. It’s the it department. In a smaller company, you really want everybody to be responsible. Whoever has that, that device whoever uses that machine should be checking it for updates. You have to take the time out of your day and do this. It’s, it’s called preventative maintenance for a reason. And yeah, 10 minutes checking for updates every week could save you hours and hours and hours of lost working time, uh, or even lost data if you get hit by a virus or some kind of ransomware. In the bigger companies as well, they have software that’s automatically monitoring every machine. Uh, and reporting back when software is out of date. Uh, and in many cases automatically applying those updates. Uh, a small company maybe doesn’t have that software but still needs to have the same mindset.

Ash: (07:49)
So to wrap up, what’s the takeaway from this, Dom?

Dom: (07:52)
Check and keep your machines up to date all the time.

Ash: (07:59)
All right, very clear. I like these simple conclusions. I think I over complicate things. I think in terms of my business, I’m actually going to take the step to just get everyone together and actually just talk about this for five, 10 minutes. It doesn’t need to take a lot of time for people to take accountability and for it not to just be hanging and for it, not just to be hanging on one person’s shoulders.

Dom: (08:22)
Yeah. And, and look for all your software. It’s, it’s easy to do your windows updates, your Mac updates and your iPhone updates, check WordPress, check Java, check any other applications you’ve got as well.

Ash: (08:36)
So thanks for listening. Dom and I are the cofounders of cyber alarm, which is a cybersecurity platform that’s been designed specifically for small to medium sized businesses. And in terms of updates, Dom, how can the service help

Dom: (08:50)
Our service monitors your website and other internet facing software. And we alert you when the software is out of date and we’ll give you advice on how to, how to update it.

Copyright © 2019 Cyber Alarm Ltd.