Many IT teams are facing the double dilemma of more applications to manage, at the same time as more frequent and complex updates to run. At the same time, ransomware hackers are increasingly looking for vulnerabilities in the security of applications as a way to access and encrypt organisations’ critical data, infrastructure or devices.
When vulnerabilities such as the so-called PrintNightmare are exploited, hackers have the ability to install programmes, access or modify data, and even create new user accounts.
Despite this, some firms have been found to take up to 205 days to run critical updates and shut down vulnerabilities.
As a result, the UK’s National Cyber Security Centre has posted advice about the security risks that out of date applications pose to British firms. The guidance focuses around the need to run patch updates, ideally within 14 days in order to ensure new security features are running as soon as possible.
The importance of updates – and the flaws of automatic updates
Running updates is essential to ensure that operating systems, web browsers and extensions, third party applications and anti-virus agents are all kept up-to-date. While some third party apps are set to auto-update, others require manual intervention.
Even if applications are set to auto update, relying fully on this can be a risky strategy for IT. Auto updates can be delayed or even blocked completely if users have disabled updates. This risk is intensified in organisations running a Bring Your Own Device (BYOD) policy in which users have more control of their own devices. Auto updates are often disabled anyway by IT because users lack the admin rights to install them. This ensures IT remain fully in control of the process.
Auto updates can also be interrupted by a lack of WiFi connectivity, power supply, storage limitations, or device age. Finally, for their effect to kick in, some updates may require the user to manually restart their device. If the device is only snoozed every night and not fully rebooted, this may mean the updates do not take full effect for several weeks.
Avoiding the potential downsides of patch updates
There are other downsides to auto updates. Some updates have also been known to cause problems with how applications function. If auto updates take place across a large number of users’ devices but cause a problem with a business critical application, there can be serious impacts on productivity.
Separating updates into user deployment rings ensures that testing can be carried out on a small number of devices before wider groups of users are potentially impacted. This can be setup so early adopters get updates first, then a larger group of users, followed by an organisation-wide rollout.
However, it is important to work through the remaining users once testing has been conducted as this presents a potentially easy route in for hackers to exploit devices that were excluded from the original test group.
What is the solution?
Given the risks associated with slow updates or automatic patching, more IT teams are looking for alternative solutions to application management. To do this, several best practices can be applied to balance security with user productivity across many applications. This can include:
- Application inventory and tracking to establish what needs protecting.
- Carry out threat assessments to understand threats and how to mitigate them.
- Stay on top of patches: Despite the importance of this, many organisations are not up-to-date with patches.
- Use containers to create silos and reduce risk.
- Encrypt data in at-rest and in-transit status.
- Use privilege management to reduce risk of external attacks through silos, and insider threats through limitations on access.
- Conduct penetration testing to find weak points in applications.
Is your application management scalable?
These best practices are a bare minimum for good application management, and they can all be applied to reduce the risk of vulnerabilities. The reality for IT teams running hundreds or even thousands of applications is that it is simply not realistic to apply this same rigor to every application.
This is a problem, when even the most obscure, apparently low-priority application can provide an access point for hackers to exploit.
How can application management services help?
Expert application management services help organisations efficiently deploy and manage third party or in-house software applications. With easily-deployable desktop and server application packages, software patches and other dependencies can be deployed without the user’s machine being physically present.
Application management services also help reduce the overheads required for moving to new software versions or replacing applications that are no longer supported by the vendor. This can be particularly troublesome when applications have been customised from the off-the-shelf version. Application services mitigate licensing issues and the need to re-train large numbers of users.
To find out more, join our Linkedin Live event – Transforming Your Digital Workplace on March 3rd.