A primer on how and how often to install security updates for those companies that don't have a large IT department.
The security software’s been installed. It includes anti-virus protection, a spam blocker, a firewall, a pop-up blocker and a spyware filter. Feel safe, yet? The good news: once all that’s done, the system is safe -- at least for the moment. The bad news: a moment is about as long is it lasts.
Malware programmers (whom most people call “hackers”) are constantly finding vulnerabilities in all brands of security software and writing code to exploit them. Security software vendors, at the same time, are constantly writing additional code for their programs to shore up those vulnerabilities from new threats.
Those pieces of new code are called “patches” and without them your software is essentially worthless.
Install all patches and updates
It sounds so simple, but staying on top of those patches or updates is where the wheels fall off for most small and mid-size businesses that can't afford a separate staff or department for information technology. No one can really blame the software vendors on this one, either. “Where there are updates available make sure you install them," says Joern Wettern, co-author of Firewalls for Dummies. "Check all your computers at least once month to make sure no one’s turned off the automatic update feature.”
Most security programs now include an automatic update feature that will have your computer download new updates directly from the vendor’s website on a regular schedule. The most it might require of the end user is the occasional request to reboot or a pop-up screen asking for a “click yes” to accept updates.
For many end users, even that’s too much.
“People get annoyed with those pop-up screens and just turn off the automatic feature. All it takes is one machine to not be updated and your whole network is vulnerable," says security expert and partner John DeLozier, from Nply Security, a Dallas-based network security consulting group.
DeLozier recommends utilizing what network security professionals euphemistically call the good old-fashioned “sneaker net.” What that amounts to is periodically have someone physically walk around to every single computer within the business to make sure the automatic update feature is toggled to the “on” position and is doing its job.
Assign responsibility for patches
DeLozier suggests that businesses follow this two-step strategy to keep the company's systems safe.
Have a maintenance plan. If you don’t have at least a part-time IT staffer to be responsible for patches and updates, then appoint someone else within the organization to be that person. Whether it’s once a month or once a quarter, have a set schedule to check all the computers and make sure patches are being downloaded on a regular basis.
Make sure the plan gets executed properly. Once you make the commitment to a set a maintenance schedule, stick to it. Don’t let patches and updates fall off the priority list. Use reminders on project calendars and keep a written track record of dates and computers that have been checked. Don’t let a viral attack be your reminder that it’s time to update your software.
If the budget allows, there are a number of commercial software applications available that help organize and streamline the management of updates. Some of the popular software manufacturers who make products in this field include: Kaseya, GSI Languard, Numara, and Microsoft, the latter of which makes a Baseline Security Analyzer.
Before committing to any software solution to patch your systems, just remember this: it’s one more piece of software someone has to be familiar enough with to properly utilize. The bottom line for small and mid-size businesses in need of developing a solution to patch their PCs is that they need to follow through. “Good security can be done on a budget," says Ben Rothke, director of security technology implementation at AXA Financial and a frequent speaker at conferences on security topics, "but you do have to manage it.”