Your security adventure pack is getting quite full!
So far your small group has:
- an asset (accounts, systems, technology) checklist,
- a password manager full of unique passwords for each of those assets, and
- two-factor authentication configured for your important assets.
We hope you have been working out - because we are going to add one more thing to that pack - patches and updates.
Step 4. Keep your devices and systems up-to-date
In order to give that technology some TLC, set a monthly reminder to check the patches or updates available for anything in the Technology & Systems column of your asset list. This is going to include:
- Operating system for any mobile devices or computers
- Software or apps on those mobile devices or computers
- Operating system for any server you run (like web servers)
- Operating system for any cloud infrastructure you run
- Software running on that cloud infrastructure
- Plugins or content management software for your website
Ain’t no party like a patching party, amirite?
Schedule this reminder for when you have some downtime. It should take you less than 15 minutes, so you could even knock it out while enjoying a morning coffee (or a midnight snack for you night owls).
If you can, configure these updates to run automatically. You should be able to set that for things like your mobile devices and computers. Performing updates usually means restarting the device, so have a cup of tea and a break and let them reboot when they need to.
The reason why this step is important is because updates often have security fixes that close weaknesses in the software. Attackers have all sorts of tools in their toolbox - including automated software that can scan the internet for vulnerable systems, and automatically run programs that take advantage of them. You might think your group is too small to be noticed - but that is not true when you are up against computers that don’t sleep and can run automatically with no human input.
Some of you probably spend your day job working in places with change windows and proper full change processes. As a small group, you probably don’t have to worry much about that. To make sure this is the case, a good question to ask yourself is:
Would anyone be negatively impacted if this technology was offline or unavailable?
If the answer is yes, it would be important to have some comms prepared to inform people when they might expect the system to be unavailable. You could send these comms via email, or post them on your website.
It will also be important to perform backups before applying updates so you can quickly roll back if something isn’t quite right and if the system is not coming back online. Spoiler alert: The next and final blog is all about backups! So tune in for details then.
Keeping your technology patched and up-to-date is key. Just like you have a search engine for websites, there are search engines and scanning tools for finding technology. It is easy for attackers to create programs to find technology that is easy to attack. You don’t need to worry though - you are all patched!
I am sad to say that we have one final step before we part ways and you spread your secure-wings and fly. Tune in for our last and 5th post in another fortnight.