Patching our attitude to patching

Most of us -  at home, in small businesses, in multinationals - know perfectly well that patching our computers is one of the most important things we can do for our own online security, and for the security of others.

It goes without saying, though I'll say it anyway, that we ought to be prompt in applying software updates which fix security holes the Bad Guys already know about.

The problem is that, very often, we're tardy in patching.

This leaves plenty of vulnerable computers for cybercrooks to exploit to do their dirty work. Whether it's zombie malware on your home PC which is spewing spam, or an unsafe web server at your business which is serving poisoned web pages, you're putting yourself and everyone around you at risk.

Why? What makes us unwilling to make the often-trivial effort to immunise ourselves against well-known but already-preventable cyberdiseases?

Some people don't take computer security seriously because they don't see themselves as part of the problem. (Mac users are particularly vulnerable to this school of thought. They assume that the limited amount of Mac malware is a side-effect of inherent resilience in their operating system, rather than merely that the crooks haven't focused much on them yet.)

Don't make this assumption. Even if you don't care about your own security, spare a thought for everyone else who might get affected if you inadvertently become part of the problem.

Others are reulctant to patch because they're understandably fearful of change. What if the patch merely makes things worse? What if the patch needs a patch? Why not wait for other people to go first and see how they get on?

But a little reluctance goes a long way. If you're a business system administrator, by all means wait a while, do your "due diligence" and try patches on a few test devices first. Just don't take too long.

Plan to be able to change quickly anyway, not just for security reasons. Plan to be able to roll out patches quickly and to unroll them equally quickly if needed. That sort of nimbleness will make you much more resilient in any future IT emergency. Learn to patch in days, not months or weeks.

And some companies don't patch because they rely on legacy applications which simply aren't being kept up-to-date and which break if brought into the present day.

Don't stand for this in your organisation.

If you have a software vendor who insists on you living in the security past (for example, by requiring you to stick to Internet Explorer 6), give them the boot immediately.

Take the pain of change now, on your own terms, before the crooks make you feel the pain on theirs.

When you're spending money on software, invest in developers who care about security at least as much as you do.

Copyright © SC Magazine, Australia