By SRT CEO, Michael Ryan
That’s all it took to cause a data breach that exposed personal information of nearly 146 million Americans. A single employee, somewhere within the Equifax chain of command, failed to install a software patch. A patch that had been available for months.
A patch that could have prevented the breach entirely.
Before I became the CEO of South River Technologies, I spent more than 20 years as a software engineer and developer of server solutions, so I understand how difficult it is to develop bulletproof software. No matter how good your technology is initially, there’s almost always a point of failure, a vulnerability, or an attack vector that requires a patch. Knowing that, I also understand that when someone does inevitably find an opening for an attack, software vendors must patch the hole immediately and release the fix to customers.
So, when patches are readily available — patches that are designed to protect your company from data breaches that can plaster your name across the news and destroy your entire business — why wouldn’t you apply them immediately?
As a CEO, I get it. When your servers are down, your customers aren’t happy. Businesses today routinely require 99.999% uptime, which leaves very little room for scheduled updates and patches. Is your company willing to sacrifice some of that downtime — and, more importantly, customer satisfaction — to install a software patch?
Unfortunately, the answer for many businesses is no. Companies are reluctant to apply patches immediately when they are released because either they don’t want unscheduled downtime, or there are business rules in place prohibiting immediate rollout of security patches until they have been thoroughly vetted by IT. Worse, I see this most often in the healthcare and finance industries — two sectors that are constantly under attack because of the value of personal financial and healthcare information.
While installing a patch could cause a few minutes of downtime, failing to install that patch could create a vulnerability that allows your customers’ data to be exposed, stolen, and potentially sold on the dark web.
Which is worse for your customer satisfaction?
Here’s the reality: There will never be perfectly secure software, and there will never be a shortage of cyber criminals whose sole mission is to gain access to your system, take your data, and sell it for a profit. Here’s how I propose we move forward as software providers to better protect our customers.
Server software vendors: We must be diligent about regression testing every code change to ensure there are no memory overruns, holes, or other vulnerabilities. As software vendors, there are always opportunities to cut corners or deliver updates prematurely to satisfy customer demands. But that only increases the likelihood of more bugs requiring additional patches, which hurt customers in the long run.
Company executives: Immediately evaluate your software vendors. Find out how often they release software patches. Determine the turnaround time for hot-fixes. Have them verify their QA processes. Will your vendor work with you to test and apply the patch to your system with the least amount of downtime? For mission-critical systems, does your server solution support clustering so one server can come offline to be patched while the other continues to service customers? If your software vendors cannot pass these tests, find another solution provider because you’re putting your customers and their data at risk. However, part of the responsibility is also on your shoulders. You should have a formalized plan in place that allows you to upgrade and apply patches within 24 hours of the release — not two months later.
Whether you’re the executive in charge of your company’s information security, or a software vendor that many companies rely on, you must do your part to protect your customers’ data and avoid security incidents like the Equifax breach.
CEO, South River Technologies