Why a simple update policy could save your business from cyber attacks
On 28 March, Australian television network, Channel Nine, experienced the ‘largest cyber attack on a media company in Australia’s history.’
The attack took them off the air during Sunday broadcasts and interrupted scheduled programming over several hours.
Investigation found that the incident began Saturday night when computers in Channel Nine’s Sydney network started operating strangely. By Sunday morning, many of them ceased to function altogether.
The network had been targeted by hackers and significantly compromised, leading to broadcast disruptions.
So, how did the breach happen?
Following current speculation and trends in cybersecurity, the ABC reports that the incident may be a result of recent security breaches on Microsoft Exchange Servers.
The Australian Cyber Security Centre (ACSC) also reports that a large number of Australian organisations were targeted and compromised in cyber attacks due to new vulnerabilities in Microsoft Exchange deployments.
Not only were Channel Nine systems affected, but unrelated intrusion attempts were identified at the famous wine company, Taylors Wines, and even among some systems of federal Parliament.
But where did the vulnerability come from? And how did it lead to this major Channel Nine cyber attack?
First, we need to define what a vulnerability is.
The ACSC defines a vulnerability as ‘a weakness in system security requirements, design, implementation or operation that could be exploited’.
When there’s a vulnerability in a system or application, cybercriminals can exploit system loopholes and security openings to steal or manipulate confidential information.
Or, in the case of Channel Nine, to significantly disrupt services.
What can we do about it?
Vulnerabilities are common in apps and digital environments, so they are a security concern for all businesses, big or small.
But how do we fix them?
A patch, simply put, is an update provided by a company to remove vulnerabilities in their products and software. Patches can be downloaded and used with little technical knowledge required and are often as simple as clicking ‘yes’ or ‘no’ on an update reminder.
Yet according to CSO Australia an alarming 60% of breaches in 2019 involved exploitation of unpatched vulnerabilities.
Without patches, hackers and cybercriminals have free reign to exploit vulnerabilities and cause massive damages to users.
In the case of Channel Nine, the network is reportedly experiencing ongoing issues in the fallout of the attack, almost a month after it was initially reported.
If the speculation that Microsoft Exchange vulnerabilities were exploited during the incident is true, a simple initial patch may have been enough to avoid the attack altogether.
But, still, many Australian organisations are yet to patch these Microsoft Exchange environments, leaving small businesses at risk of security issues.
What is the solution?
This is where an update policy comes in.
Update policies, or ‘patch management policies’, govern when and how patching is done in an organisation. A strong patch management policy ensures that patching is systemised, and that relevant members of staff are held accountable to patching standards.
With a strong patch management policy, it’s less likely that crucial application updates get missed or repeatedly snoozed by staff – and less likely that high-risk vulnerabilities will remain open to attackers and cybercriminals.
How to create an update policy
When creating a patch management policy for your business, consider the following:
- What are the acceptable deadlines for applying a patch? Most application vendors will either email you when a patch is available or have an in-built reminder function to alert you to them (such as when your operating system asks if you would like to update). A good basis is to apply all available patches within 30 days of their release.
- What devices and applications are in your organisation? It’s all well and good to install the updates that you’re made aware of, but it’s equally important to keep an inventory of required updates across the organisation. Tally all computers, tablets, phones and other work devices in the organisation, and ensure you are aware of all applications installed on them.
- Are automatic notifications enabled? To avoid discovering a vulnerability once it’s too late, always enable patch and update notifications in applications where possible.
- Are automatic updates enabled? The most common cause of data breaches is said to be human error. As such, it’s crucial to automatically enforce and install updates where possible, rather than relying solely on members of staff to install them.
- Who is responsible for ensuring that updates are installed? Generally, it should be up to each device-user to install their application updates. However, for larger or more technical patches, such as an email environment or website application, it’s often best to delegate this responsibility to a specific team or staff member and ensure they’re supported appropriately.
According to a survey by Voke Media, 80% of companies who suffer a data breach could have prevented it via patching and updating their systems. And current trends in ransomware are still largely exploiting the same known, patchable vulnerabilities from as far back as 2017.
While patching is easily neglected, it can also be as simple as the click of a button.
Simply setting a few expectations and standards for patch application in your organisation can be the key difference in surviving an attempted breach.
So don’t let it wait.
For more information on patch management, read the System patching chapter of the ACSC Guidelines for System Management.