This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Today, all of government—including local government—is a target for hackers.
Wired recently reported the results of a study done by SecurityScorecard that ranked government 16 out of 18 industries for cybersecurity.
According to Wired:
The analysis of 552 local, state, and federal organizations [...] found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation...
In this post, we want to focus on modernizing and patching software. These two items were the reason that the
WannaCry ransomware virus devastated so many organizations earlier this year.
If patching could prevent so many hacking attempts, then why don’t organizations (including local government) do it more often.
According to a Computer Weekly article, patching is viewed as too costly and resource-intensive:
For those organizations where patch management is currently ad hoc at best, developing a policy and framework may seem like another cost that they can do without. However, continuing with ad hoc patching, as and when time and resourcing allows, is wholly inadequate if the organization is to be protected from threats exploiting known vulnerabilities.
The risks and dangers from failing to proactively manage technology patches and updates are simply too great to ignore. Here are five major reasons you need to patch.
1. Information Security
First and foremost, patch to shore up security flaws that are inevitable in any software. Vendors release patches when they discover security flaws and vulnerabilities in their software that hackers can exploit. Without patching, you are more susceptible to viruses, malware, hackers, ransomware, malicious websites, and malicious email attachments.
When discussing WannaCry back in April 2017, we said:
Microsoft released a Windows security patch in March 2017 that prevented WannaCry from affecting an organization. According to CNN, “The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn't updated their systems were still at risk.”
Without applying basic, routine patches, you’re increasing the risk of getting hit by the next major cyberattack.
2. System Stability
Patches also help fix bugs and issues that can affect productivity. Like maintaining a car, software needs tuning and repair. Patches help keep your technology “car” in good driving shape. Otherwise, you may notice your systems slow down to a crawl, crash, or be visited by the blue screen of death. In some cases, not applying patches can actually damage your software configuration and/or data, ruining your investment and interfering with employee productivity.
3. Software Performance
In addition to helping your software simply function, patching also leads to new features and improved performance. Especially today, software vendors continually add updates, features, and functionality that help make your work easier. For example, your word processing software might add features like autosaving or collaborative editing that would assist you in your day-to-day work.
4. Threat of Data Loss
When software breaks, malfunctions, or gets hacked, you risk data loss. Not patching threatens access to valuable data that—without proper data backup and disaster recovery—may get permanently lost. This is especially a risk when you use outdated software that’s not supported any longer by the original software vendor. It’s not unusual to see cities using software that is 8-10 (or more) years old and hasn’t been supported by the software vendor for a long time.
In addition, even having a data backup and disaster recovery solution in place may not work effectively with older, unpatched software. That’s why modernizing and regularly patching software also affects your data backup and disaster recovery strategy.
5. Compliance
If the above four reasons don’t convince you, then compliance should. Plenty of existing and proposed federal and state laws are requiring cities to follow basic cyber hygiene—including patching—to protect sensitive and confidential information. While citizens can choose to share information with businesses, they don’t have any choice about sharing information with cities. As a result, cities absolutely cannot be lax in their protection of that information. Otherwise, lawsuits, public outrage and embarrassment, job termination, and other consequences are possible results from such poor cyber hygiene practices.
While seemingly extremely tactical, patching is a part of compliance as cities make sure they are securing and protecting the information of citizens.
As we noted in a recent post:
Federal and state compliance is getting serious. In May 2017, the President signed a cybersecurity executive order requiring departments and agencies to follow the same cybersecurity standards and best practices placed upon the private sector. And Arkansas signed SB138 into law in March 2017. Arkansas cities can now lose their charter from noncompliance with IT-related accounting practices.
To protect your city, you need IT support that helps you guard against cyberattacks by keeping your computers patched, protected, and healthy. Otherwise, you introduce a great deal of risk to your city that can lead to some dangerous consequences.