Deployment of security updates will be governed by those liable for the risks – the insurance companies.
The world experienced a global IT outage last Friday (19 July 2024) and into the weekend due to a defective cybersecurity software update on Windows computers running cybersecurity firm Crowdstrike’s Falcon software. Countless articles and blog posts have raised questions around what Dr Shumi Akhtar, Associate Professor at the University of Sydney, has called “fragility of our heavily digitised world.” The conversation has inevitably included how we should be managing security updates, especially their rapid, often untested deployment to production systems.
In the ever escalating conflict between shadowy hackers and those tasked with keeping our digital systems secure, we are advised to apply updates for our security tools as soon as possible, to minimise the chance of hackers exploiting new vulnerabilities or new hacking techniques. With the recent fault being caused by a software update, many are asking if security updates should be deployed so rapidly.
What if we don’t deploy security software updates as rapidly as advised?
There is a precedent for delaying updates, born out of an era when it felt like Windows updates caused as many issues as they resolved. We implement such things as pilot groups or update rings, which enable a managed deployment of updates to less critical devices – our guinea pigs or crash test dummies. Once stability and reliability is assured, we allow our more sensitive and critical systems to be updated.
So this begs the question…
Why don’t we roll out security software updates in a tiered manner, like Windows updates?
At this point, we have to consider the risks of doing what we’ve always done – deploy security updates asap – with the alternative – delaying updates to critical systems until they are proven elsewhere. If we deploy immediately, Friday’s events demonstrate the risks of that approach and the costs involved. It has global impact, across a vendor’s entire customer base. If we delay deployment, we risk leaving our organisations open to cyber attack.
Who will decide which approach we should take?
We all will have opinions on which approach is best and whether there are better ways to manage things, but ultimately…
Decisions will be governed by those who are at the most risk, this being company directors and in turn their protectors, the insurance companies.
We are yet to see guidance from insurance companies on how they view these two opposing risks, failed update vs cyber attack, and which they deem to be most critical. For now, most insurance policies require demonstrating competent management of security systems in order to make a successful claim in the event of a cyber attack. If we delay security updates, and we are attacked in a way that could have been prevented by the update’s application, have we demonstrated competence?
If we delay security updates, will our cybersecurity insurance policies still deliver?
For now, it would seem, we are best to maintain the status quo or accept the risk of a breach being an uninsured event.
Moving forward, insurance companies may take a different view and the question we might need to ask next could be…
If security updates cause business interruption, will insurance companies continue to provide protection?
For now we await a response from the companies that have provided insurance to those impacted by this recent global outage.
- What will be the priority moving forward, protection from cyber attack, or more careful deployment of protections?
- What new responsibilities will fall on companies to ensure they are covered for both cyber attacks and business disruption from faulty updates?
Speak to your insurance advisor and find out what their current position is, and be ready for that to change in the future.
DISCLAIMER: I’m no insurance expert and may be completely missing something in this conversation, so I’d love to hear from those better informed so that I and the technology community at large can make more educated decisions regarding the protection of their systems, data, employees, and customers.