Software is complex and imperfect and can always be improved. In today's rapidly evolving technological landscape, software updates are therefore a recurring necessity! Installation within 14-days of release is the essential timing, according to NCSC (National Cyber Security Centre). Updates are built into the price of software, whilst it is being supported.
Who wouldn’t update, if you’ve already paid in advance for it? This is quite different from upgrades, which usually require a further cost. This is no different to buying a new car and getting (say) four years free maintenance. Who wouldn’t get all those free services?
New versions (in motor car parlance, new models) promise a plethora of benefits, from enhanced security and improved performance to access to cutting-edge features. Deciding when to upgrade/trade in for a new one can be tricky decision.
Getting back to software… should you wait beyond the end of life (EOL) of your current version and pay extra for extended security updates until the vendor gives up on that clapped out software altogether? Or should you plan to upgrade sooner than EOL (the EOL date will often be announced years in advance)?
The decision of when to upgrade (the software will eventually get beyond extended maintenance) can be a complex balancing act. Unfortunately (for security buffs!), software beyond EOL and extended maintenance is not illegal, so that decision is up to them. Striking the right balance between bolstering security and maintaining cost efficiency is paramount, especially considering the ever-present threat of cyber-attacks, but (again in the view of experts) why take unnecessary risk with getting hacked?
This article delves into the intricate world of software upgrades, exploring the pros and cons of early adoption and waiting until and even beyond the end of life (EOL) of software. We'll analyse the security risks associated with outdated software, highlighting the potential consequences, and emphasizing the importance of prioritizing safety in the digital age.
Why upgrade early?
The enhanced security with newer versions fully addresses known vulnerabilities, which may have only been patched in an update. This is crucial, as outdated software is a prime target for cyberattacks.
There is also improved performance. Software upgrades frequently come with performance optimizations, leading to a smoother and more efficient user experience.
Additionally, there are likely to be new features with the upgraded software, potentially increasing productivity and streamlining workflows. Training courses on that software will usually focus on the latest version and, as well as covering existing functionality, will explain the added advantages with upgrade.
Why wait for some time after the new version is available?
Given the security risk, there must be reasons why businesses delay.
From a financial perspective…
Compatibility issues: new software might not be fully compatible with older hardware or other software you use, leading to compatibility issues and potential disruptions. No change means no training cost.
A learning curve to become fully acquainted with the new version. Adapting to a new interface or workflow can be time-consuming and require additional training, impacting productivity in the short term.
The cost: upgrading may incur upfront costs, to purchase new licenses or subscriptions.
Why wait until the last possible moment before EOL?
As above re security! Even if updates continue within 14-days, with software nearing EOL potentially ceasing to receive official support from the developer, making it difficult to get help with technical issues or bugs. You also have the issue of limited functionality.
You may miss out on new features and functionalities available in newer versions, creating a skills gap of staff for when they are forced to upgrade.
From a financial perspective…
No costs, therefore saving money by delaying the upgrade until it is absolutely necessary. There is also the familiarity with maintaining the familiar interface and workflow of the existing software, avoiding the need to learn and adapt to a new version.
Why continue after EOL, with “extended [emergency] maintenance”?
This approach is similar to using software until EOL but with a key difference and that is paying for security updates from the vendor for a period of time after normal support ends, and not bothering with the upgrade.
Pros:
Continued security updates for the software. Without this, the software would rapidly become very vulnerable to known and unknown exploits, significantly increasing the risk of data breaches and cyberattacks.
Maintaining existing functionality, and no requirement for training.
Cons:
While older software might still function adequately, compatibility issues may arise with newer hardware or operating systems. Upgrading keeps the software functional and avoids potential disruptions to your workflow.
There is also the matter of compliance with regulations. Several industries and organizations have regulations mandating the use of supported software versions for data security or other reasons. Upgrading ensures compliance and avoids legal or financial consequences. Peace of mind is another benefit, knowing your software is secure and supported can offer peace of mind and lessen the stress of potential security vulnerabilities or data breaches.
In any case, the cost for extended support can be expensive, especially for complex software or large deployments. This can be a significant financial burden, especially compared to the potential cost of transitioning to a newer, supported alternative.
The business will fall behind the new, more efficient features, innovations and enhanced functionalities.
Another concern is vendor lock-in, paying for extended support can lock you into a specific vendor, potentially limiting your options for future upgrades or switching to a different product that might be more secure or cost-effective.
After EOL, the software vendor's primary focus will shift towards newer versions. This can lead to slower response times to critical vulnerabilities discovered in older software versions greatly increasing your risk of a cyber-attack. With more limited resources dedicated to older software, the quality and comprehensiveness of security patches might decline, creating an increased attack surface. Using unsupported software increases your attack surface, making it a more attractive target for attackers who exploit known vulnerabilities.
Eventually, the vendor will completely discontinue support, and you'll have to upgrade to a newer version or explore alternatives, potentially incurring downtime, and additional costs. By then, the learning curve for staff will be massive!
Which Option to Choose?
While delaying upgrades can save some initial costs, the security risks associated with outdated software far outweigh the financial benefits. Cyberattacks are becoming increasingly sophisticated, and hackers actively target vulnerabilities in older software versions. By opting for upgrade before EOL, you significantly decrease your attack surface and protect your data and systems from malicious actors.
Cyber Essentials as an aid to decision-making
Many small organisations are wary of security consultants.
In the realm of cybersecurity best practices, the Cyber Essentials framework, introduced by NCSC and currently administered by IASME Consortium, provides valuable insights into securing organizations against common cyber threats. When considering strategic software upgrades, Cyber Essentials plays a pivotal role in guiding businesses through the process. The NCSC framework advises against using software that has reached end of life, emphasizing the increased risk of security breaches. This supports the notion that waiting too long to upgrade exposes organizations to potential security risks.
How Cyber Essentials can help:
1. Security Hygiene
· Assessment: Cyber Essentials provides a structured approach to evaluating an organization's cybersecurity hygiene.
· Integration: This assessment can be incorporated into the decision-making process for software upgrades, guiding organizations to prioritize security considerations.
2. Risk Mitigation
· Guidance: The framework offers guidance on identifying and mitigating common cyber risks.
· Application: Businesses can use this guidance to assess the risks associated with software upgrades and make informed decisions that balance security with other considerations.
3. Compliance Assurance
· Requirement: Cyber Essentials compliance often involves using supported and updated software.
· Relevance: This aligns with the best practice of upgrading software strategically, contributing to overall cybersecurity resilience and compliance.
Incorporating Cyber Essentials into the decision-making process for software upgrades enhances the security posture of organizations. By following the framework's guidelines, businesses can systematically address vulnerabilities, prioritize security, and align their software upgrade strategies with established cybersecurity best practices.
Making an informed decision:
Ultimately, the decision to upgrade a particular application or operating system software depends on your individual needs and risk tolerance. It's crucial to weigh the specific software in question. Critical systems or software containing sensitive data might warrant a more cautious approach with earlier upgrades, while less critical software could be considered for delayed upgrades.
Upgrading earlier is highly recommended. If you operate on a tight budget and have a robust security posture in place, waiting until EOL might be a viable option, if the increased security risks are acknowledged. A decision to go beyond EOL will essentially be based on the same dilemma. It requires a thorough evaluation of your specific needs, security posture, and budget.
Weigh up the options carefully. It is not just cost v risk, because productivity is also a factor.
Useful links:
Cyber essentials software updates/ patch management explained:
Article on why software updates are important:
NCSC guide to software updates:
Comentários