August 2024 Volume 6

OPERATIONS & MANAGEMENT

KEEP IT CURRENT TO REDUCE “TECHNICAL DEBT” By Jim Kerr

“T echnical debt” occurs when a business delays IT upgrades or chooses solutions that are quicker or cheaper than required to effec tively support its operations. This debt can accumulate over time, resulting in increased cybersecurity risks and significant, unplanned expenses to replace unsupported or obsolete software and hardware. To help reduce technical debt, prioritize the following software and hardware best prac tices: • Frequent patching • Timely upgrades to current software versions • Regular rotation schedule for hardware refreshes Importance of Frequent Patching Frequent patching is one of the easiest ways to help protect against cyberattacks and it’s a key element in a layered approach to cyber security. Patches can fix bugs and optimize software. More importantly, they fix secu rity vulnerabilities that can be exploited by cybercriminals.

Patching is a best-practice requirement for cyber liability insurance risk assessments. Often, assessments require critical patches to be applied within 30 days. Make sure you have the necessary reporting in place to prove that you patch, since a cyber liability insurance carrier could deny your claim if you’ve falsely stated you patch or you can’t prove it. Finally, if you’re breached due to a vulner ability that has a known patch available, the task of defending your actions to clients, regulators, and insurers becomes challenging and potentially costly. How to Keep Patches Current • Make sure your IT provider remotely applies patches from Microsoft and other key software vendors on a regular basis. Critical security updates should be applied as soon as possible. Ask for the patch reports so that you can keep on top of machines with missing patches. • If your IT provider doesn’t manage patches for you, set all computers to automatically update, and avoid using the “Remind Me Later” button. Keep in mind that automatic updates will not generate reports. • Set browsers (Chrome, Edge, Firefox, etc.) to automatically update. • Set your phone and tablet to automati cally update. Prioritize Timely Upgrades to Current Software Versions Software vendors are constantly overhauling their entire packages for better performance and security. It’s tempting to put off installing the newest version of software because it disrupts your team and can be expensive. If you fall one or two versions behind, your technical debt may be manageable. Beyond that, you may

How Cybercriminals Find Vulnerabilities Publicly disclosed cybersecurity vulnerabili ties are identified, defined, and catalogued by the CVE Program. CVE is an interna tional effort that helps cybersecurity profes sionals coordinate their work prioritizing and developing fixes. Every vulnerability is rated as a low, medium, high, or critical risk. Patches are developed and prioritized for deployment based on these categories. The disclosure of vulnerabilities to the public through CVE Records can be an open invi tation for cybercriminals. They’ll go on the prowl looking for unpatched systems, either using manual scans or computer bots. By keeping patches current, the hackers are more likely to pass you by. Business Risks from Unpatched Systems Unpatched systems are a proven business risk. According to the Verizon 2024 Data Breach Investigations Report (DBIR) the exploitation of vulnerabilities as an initial point of entry almost tripled from the previous year, accounting for 14% of all breaches. This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransom ware actors.

According to the Verizon 2024 DBIR, 85% of critical vulner abilities are unreme diated 30 days after discovery, 47% are not corrected after 60 days, and 20% are still active after 180 days. After an entire year, cyber criminals can still find 8% of unpatched vulnera bilities to go after.

FIA MAGAZINE | AUGUST 2024 52