Discover Network Security News
Security Patches and Negative ROI Equal Corporate Stupidity
I'm talking about the vexed question of security patches. Using software which requires frequent patching because of security problems, means you're pouring money down the drain. It creates a situation in business akin to anarchy. What's more, it's a situation which is totally unnecessary because there are solutions to the problem.
When a security patch alert is issued you have two options. You can stop whatever it is that you are doing, no matter how important or crucial, and you can spend the day (or next several days) applying patches to servers. Or you can decide that what you had intended to do before you knew about the patch, is vital and cannot be postponed. You then hope nothing will happen.
Other factors come into play as well. Installing patches is boringly repetitive and an uninspiring chore, which usually requires expensive, skilled technical staff (probably in short supply) to carry it out. Servers often have to be brought down, so the natural tendency is to postpone patching. The thinking may be to wait until the next patch is required and install both of them together. When you postpone patching, as many people do, you are accepting insecurity as a way of life.