Competing priorities turn the technical aspect of updating software into a human and logistical challenge.
This is the first in a series of articles exploring specific areas that repeatedly present challenges between managed service providers (MSP) and small and medium-sized business (SMB) clients.
By Craig Moss and Chuck Veth
Keeping your software up to date is a crucial step in preventing cyber-attacks. Doing it effectively requires coordination between the organization, its employees and the team responsible for maintaining the computer systems. Many small and medium businesses (SMBs) hire outside companies, IT consultants or Managed Service Providers (MSPs), to manage their computer systems, which includes the critical task of keeping software updated.
One of the ways hackers get into companies is through outdated software. Major software companies regularly release updates adding new features, and, importantly, patching security holes in the software. These holes are called vulnerabilities and hackers can exploit them to gain access to your computers. Hackers track all the software updates from the big software companies, so they have a good idea of what security hole the software company is trying to patch. They count on the fact that companies and individuals will be slow installing these updates. Too often the hackers are right; people are too slow.
Software updates are a prime example of how the people in an organization need to work together with their MSP to stay secure. Effective cyber security requires the coordination of people, process and technology between the organization and the MSP. Almost every incident in an organization can be traced back to a single user making a mistake. That’s why influencing the behavior of your workforce is a critical part of an effective cybersecurity program. Training and clear processes at your company are 95% of the battle, while technology, like software auto-updates, is only effective if employees understand how and why to use it.
What could be a relatively simple task too often turns out to be confusing and complicated due to a lack of clarity about who has the responsibility and who has the authority. Competing priorities between the MSP and the SMB can turn the technical aspect of updating software into a human and logistical challenge.
Software updates typically require the computers to be unavailable for use for a while. Inevitably someone in the company has a critical deadline or an important project preventing the MSP from doing their job to promptly install a new software update. So, the software update is delayed and maybe delayed again. These delays give hackers a window of opportunity to exploit vulnerabilities in your computer system.
We want to keep this article simple, but there is an additional layer of complexity that all SMBs need to understand. Computers have operating system software, like Windows or MacOS, which need regular updates. They also run application software, like QuickBooks, Adobe Acrobat, or Microsoft O365 (Word, Excel, PowerPoint, Outlook), which also require updates. Both types of software need to be kept current.
The situation becomes even more challenging when SMBs allow their employees to use their own devices–computers, tablets, and smartphones–at work. This practice, known as “bring your own device (BYOD), saves money but makes it harder for the MSP to ensure all software on every device connected to your network is up to date.
For SMBs, it is wise to enable the auto-update feature on both operating systems and applications. However, even using this simple step can become complicated due to poor communication and collaboration between the SMB and the MSP. Remember, it is the SMB’s responsibility to establish a clear software update policy and ensure your users understand its importance. Too often, a lack of clarity between the SMB and the MSP only comes to light after an incident. Don’t wait for something to happen because the software wasn’t updated to discover there was confusion between responsibility and authority in managing the software updates. Don’t assume that the MSP has the authority because you think they are “responsible for the computers.”
Ultimately, it is the responsibility of the SMB to establish the rules for software updates and to educate employees about why they matter. The solution is for SMBs and MSPs to work as one team to manage software updates. To be effective, there must be a clear, shared understanding of roles and responsibilities, with a common goal of winning the software update game.
Craig Moss is Director of Content and Tool Development for the Cyber Readiness Institute and Executive Vice President of Ethisphere. He has extensive experience working with global value chain companies to better manage risks and improve compliance.
Chuck Veth is the founder and President of CVM. Chuck has a BS in Electrical Engineering from Cornell University. CVM was started in 1988 as an IT infrastructure support firm. As CVM grew services were extended to include application development, strategic consulting, and systems administration. In 2010, CVM built a Tier 3 data center in Branford, CT to offer hosting and backup services to customers throughout North America.
