Patching the leaks: Organization policies need to emphasize updating software
Posted on 03/09/2016 at 12:00 AM by John Lande
This blog has previously covered the serious risks to organizations posed by cyber-attacks, and the role that employees have in defending cyber-attacks. Verizon released a report on data breaches that confirms the need to focus on the threat posed by cyber-attacks in 2016.
One of the critical vulnerabilities identified in the report was outdated software. This blog has previously noted the risks that are posed by security breaches in software. When software vulnerabilities are discovered the companies that create the software work quickly to provide a security fix that is released as a “patch.” Approving installation of these patches is important because it secures organizations from known vulnerabilities. However, many hackers know that organizations and individuals are not very good about promptly installing patches. As a result, hackers are able to take advantage of security vulnerabilities that have existed in certain pieces of software for over a decade.
In fact according to Verizon’s 2015 report 99.9% of the vulnerabilities exploited had a patch available for more than a year. In some cases, security updates have been available for many years.
This means that organizations are not taking advantage of security updates that are available for all of the software they rely on. Patching plays an important role in an organization’s security plan because it helps secure systems from the kind of malicious software that can be used to cause substantial financial losses. The report makes clear that not every security update is equal, but organizations would do well to make sure that updates are installed promptly.
A program that ensures software is updated regularly should be part of a broader organizational policy that focuses on the role that employees have in keeping security systems safe. However, it is important to keep in mind that designing a policy is not enough. An organization that fails to adhere to its policies can also face liability for failing to adhere to its policies.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Employment & Labor Law, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.
