Over the summer, cyber criminals hacked into a web application hosted by the Department of Energy and gained access to more than 100,000 personal records. Hackers were able to break in because the DOE had failed to install a simple software update.
Naturally, as an IT professional, you're familiar with software patches, which provide important security and usability upgrades to old software. While you understand the technical aspects of patches, you might not have ever considered them from a risk management perspective. In this article, we'll explore exactly that, through two major questions:
- What are the best practices for patching?
- What liabilities are software developers exposed to when they patch software?
Loud and Clear: How to Get Your Customers to Update Software
The second Tuesday of each month, Microsoft rolls out new patches for its software. Patch Tuesday, as it is now called, has been going on for 10 years, and this regularity has no doubt helped many Microsoft users remember to install software updates.
Your business isn't as prominent as Microsoft (you don't get to own one day of every month), but you should take a page from the tech giant’s book: communicate clearly with your clients about patches and the importance of immediately installing them.
This goes for both IT consultants who install third-party software and developers who write their own code. You can be liable for software defects in either circumstance, so make sure you effectively communicate with your clients about updates.
Risk Management in Software Development: Software Updates Also Expose Software Flaws
Patches are good, but they have one unintended consequence – hackers are able to look at a patch, analyze the code, and find the security vulnerabilities it fixes. This gives hackers a blueprint for attacking older versions of software (i.e., software on the machines of people who haven’t been diligent about updates).
This vulnerability has led IT security experts to say that Microsoft's Patch Tuesday is followed by Exploit Wednesday. The day after a patch, cyber criminals pounce on old versions of software and use their new tricks to hack inside.
Software patches are a double-edged sword. They fix security weaknesses, but expose users who are slow to update. For you, as an IT consultant, that means you need to update client software immediately (or get in touch with clients to remind them to install updates) when you learn about a fix. Think of patches as a preemptive strike – in order to work, they need to be done immediately.
The Takeaway: Update Early and Often
Software patches are a key part of avoiding data breaches and cyber risk lawsuits – but they also carry their own IT risks. Here's what you need to do to get the most from software updates while minimizing your cyber risk exposure:
- Invest time in iterative software testing to find software flaws before a program is released. (For more on minimizing your E&O risks through software testing, check out the post “Software Testing to Identify E & O Liability.”
- Install software patches immediately for yourself and clients or establish a system for communicating with your clients about newly available updates.
- If clients are in charge of updating their software, when you install the software teach them the importance of patching as soon as updates are released and show them how to do it.
- Anytime you release or install a software patch, reduce your risk of lawsuit by communicating clearly with clients about its importance.
Each IT project has its risks. You can't avoid them. But you can adopt these best practices to limit your risk exposure and reduce your risk of lawsuits. If you are sued, be sure to review the post “What to Do if You’re Sued: A Practical Guide.”