Microsoft caused a stir with IT departments and sys admins last week when the company announced it would no longer provide free Advanced Notification Service (ANS), which delivers advanced warning about the content of its monthly patches. The service is still available, but at a fee.
Computer World reports that this change is a part of a shift at Microsoft as it looks to cut costs. Unfortunately, one of the largest victims of this cost-cutting has been the company's security team, which has seen significant layoffs and smaller budgets.
The move is a curious one. At a time when information security concerns are at an all-time high and most companies are emphasizing the strength of their security infrastructure, Microsoft is cutting back its services and charging more for what it does offer.
What Microsoft's Changing Security Means for IT Consultants
While patches are still available for free, IT professionals no longer have advanced warning to tell them if they need to prepare for serious updates. With advanced warning, IT departments were able to prepare virtual machines onto which they could…
- Load the patch.
- See if it caused any unforeseen problems with their other IT.
Case in point: in December, when Microsoft patched Windows servers, IT professionals had immediate problems with interrupted TLS connections (see "19-Year-Old Windows Bug and WinShock Are a Lesson in IT Liability"). However, IT professionals who paid attention to the advanced warning had time to set up a test for the patch before installing it on their network. Without ANS, the disruptions would have been much more significant.
Why We're Still Far Away from Real Security Buy-In
There's a bigger problem just underneath the surface. Microsoft's cutbacks suggest that people – while they make a fuss about data security – don't really care enough to take it seriously.
If companies really felt that InfoSec was as vital as their IT consultants tell them it is, decisions like this would cause more of a stir outside IT departments. In reality, Microsoft's ANS cutback barely moves the needle among executives.
This shows just how far apart the average company is from knowing and understanding their security risks. While the rest of the country wants to talk about more secure data and greater transparency for data security measures (see Obama's much-hyped proposed data breach notification laws), this move makes advanced security notices a pay-only game, showing that the reality of security is that it's something only the select few care about.
Understanding Cyber Liability and IT Contractor Risk Exposure
Microsoft's decision to ax its free ANS highlights the risks that IT contractors have. Here's an example. Imagine you oversee a client's servers, which use the Windows server platform. You know that Microsoft's monthly patches are coming out soon, but you don't know the extent of the vulnerabilities they'll patch.
When Patch Tuesday rolls around, the client can't afford any downtime and wants you to get the job done quickly. However, because you don't have time to test the update on a virtual machine, you run into problems and the server is down for a crucial eight-hour stretch of the work day. The tech outage causes the client to lose a significant customer with a five-figure contract. The client fires you and sues you for $50,000 in lost revenue and other damages.
Fortunately, IT Errors and Omissions Insurance (also called Professional Liability Insurance) pays for IT consulting lawsuits whether they're related to a data breach or outages and functionality problems.
A basic E&O policy offers $1 million in lawsuit coverage, effectively shielding you from even the most exorbitant legal fees and damages you may have to pay in a lawsuit.
For free quotes on technology insurance, use our online insurance application.