It’s amazing when you watch a lightbulb moment happen – especially when you’ve spent a great deal of your professional live devoted to it.
That’s how it felt when I first heard about the UK Government’s Cyber Aware campaign. Watching a TV advertisement solely focusing on encouraging people to update their software felt like the advent of a new stage in application security. And if you haven’t seen it already, I’d recommend that you invest the 30 seconds to do so – you can find it online here.
What’s wrong with my software?
But let’s go back to the beginning – why am I so excited about a Government advertisement?
Weaknesses, or vulnerabilities, in the software, and web and mobile applications that we use or download onto our computers, tablets, smartphones – and increasingly, that power the back end of our smart home gadgets – is often exploited by cybercriminals to hack your devices, steal your personal information and, in many cases, commit identity fraud.
How do they do this? Vulnerabilities in software and applications occurs when the code for applications is written. Certain elements of code can be exploited by cybercriminals to maliciously exploit the software to get into the computer system – or for a business, into the network.
That doesn’t mean we should start pointing the finger at developers – no code will remain 100 percent secure forever, with new vulnerabilities discovered all the time. This is why we receive updates from our software providers, which patch the insecure code and keep our devices safe.
When we don’t download these patches, it’s like leaving the backdoor unlocked. You might leave it open all day and no one will discover it. But it just takes one person to try to get in and suddenly they have access to your entire house and everything that’s in it. It’s actually worse in the software world than the physical world as attackers can automate their attacks and scour the internet for unpatched software to break into.
What’s the risk?
When we hear about the cost of leaving vulnerabilities unpatched, it tends to be in relation to large organisations due to the sheer scale of the event.
In September, the mega-breach of Equifax that exploited a known-vulnerability in a piece of web software resulted in the theft of 143 million American and 400 British customers. What was most disappointing in this case was that a patch for the security flaw – which lay in Apache Struts 2, a framework for creating web applications that are written in Java programming language – had been available since March 2017.
Similarly, the WannaCry ransomware attack, which took out large swaths of the NHS, also exploited a known vulnerability in the Microsoft operating system for which a patch had been made available. This is why the National Audit Office stated that the NHS “could have prevented” the attacks and why the chief argued the Department of Health and the NHS now must “get their act together”.
But while cyberattacks on large organisations may secure the headlines, consumers must realise that their own software and operating systems may be the next target. From hacking online banking to commit identify fraud, to hacking individuals to get access to sensitive corporate information from your company when they log-on remotely – the motivations for cyberattackers are real and often realised.
What should I do?
For something so simple, it is staggering that updates are so frequently ignored and/or put off. In the time that it takes to boil a kettle and make a cup of tea, most software updates can be downloaded. Think of software as something that slowly rots over time and must be kept refreshed and up to date so attackers can’t take advantage of it.
Just as the Cyber Aware campaign advocates, there is no better advice than to keep your personal and work devices up to date. So, keep the back door locked, you’ve got nothing to lose and everything to gain.