One of the most common ways that hackers target organizations is by exploiting vulnerabilities in outdated software. Outdated software risks can leave you open to a variety of hacks, including ransomware, malware, data breaches, and more.
The fact is, failing to update your software doesn’t just mean you’re missing out on the latest version—it means you could expose your organization to major security vulnerabilities, like the widespread Apache Log4j2 vulnerability.
Log4j2 impacted almost every networked organization and required fast action to mitigate. Yet, security teams spent significant resources struggling with the problem. According to the U.S. Cyber Safety Review Board, one federal cabinet department reported dedicating 33,000 hours to Log4j vulnerability response.
Let’s take a closer risk at the top outdated software risks and steps you can take to mitigate them.
The top five cyber risks associated with outdated software and operating systems
- Ransomware risk
- Business and functional disruption
- Third-party breach
- Mobile device compromise
- Internet of things (IoT) risk
1. Ransomware risk
Outdated systems are low-hanging fruit for cybercriminals looking to perpetrate ransomware attacks.
When Bitsight analyzed hundreds of ransomware events to estimate the relative probability that an organization will be a ransomware target, we found that those with a poor patching cadence correlated with increased ransomware risk. In fact, organizations with a patching cadence grade of D or F were more than seven times more likely to experience a ransomware event compared to those with an A grade.
Despite the clear risk, many organizations lack the visibility to know where security gaps exist so they can proactively fend off ransomware attacks or mitigate their effects. Read our guide—How to Avoid Ransomware—to learn more.
2. Business and functional disruption
Outdated systems can also cause major business disruption. Consider the many interconnected devices on your network, from IoT sensors and devices at the edge to cloud-based infrastructure and services. Outdated software on any of these devices can expose your entire digital infrastructure and data to cyber risk.
For example, in the healthcare sector outdated and unpatched medical devices, such as MRI machines, insulin pumps, and defibrillators, are increasingly targeted by threat actors. According to an FBI alert:
- 53 percent of connected medical devices in hospitals have known critical vulnerabilities. Approximately one third of healthcare devices have an identified critical risk potentially implicating technical operation and functions of medical devices.
- If these systems aren't patched or secured, per the FBI, they could “…negatively impact an organization’s operational functions, overall safety, data confidentiality, and data integrity.
3. Third-party breach
While it’s critical that you discover and remediate the risk posed by outdated systems inside your organization, it’s just as important to assess your third parties. For instance, if a vendor manages your sensitive data and accesses your network using an outdated browser or operating system, they could inadvertently expose your data to risk.
Similarly, if you host data in the cloud, a hacker could exploit an unpatched security vulnerability in a cloud provider’s web application firewall appliance and take control of the device or reach into the network where your data is housed.
4. Mobile device compromise
As your business grows, the more mobile devices get connected to your network. Studies show that two out of three people (67 percent) use their own devices to complete work and 55 percent of employees solely use their mobile devices for work while traveling.
If one of these mobile devices is running an outdated operating system or browser, your corporate network could be compromised. Despite the fact that mobile phone updates often provide important security updates and bug fixes, many employers don’t have BYOD security policies in place or a means to enforce them. Security teams also have a difficult time monitoring BYOD usage or seeing when personal devices connect to the network.
Despite the fact that mobile phone updates often provide important security updates and bug fixes, many employers don’t have BYOD security policies in place or a means to enforce them. Security teams also have a difficult time monitoring BYOD usage or seeing when personal devices connect to the network.
5. Internet of things risk
Connected IoT devices such as webcams, medical sensors, smart devices, digital twins, GPS trackers, industrial robots, and environmental sensors can cause extensive damage if they operate on outdated software while being linked to the corporate network.
The compromise of one IoT device can impact your entire organization and its connected supply chain. This can result in delays in operations and financial loss far beyond the impacted device.
By 2030, there will be 29 billion connected IoT devices, making it almost impossible to manually inventory and monitor their security postures.
How to protect yourself against outdated software risks
A robust vulnerability management program can help your organization identify and fix vulnerabilities in outdated software before attackers can exploit them. Consider the following steps:
1. Map your external attack surface: Before you can get a handle on outdated system risk, you need to understand the full scope of your external attack surface. With up-to-the-minute visibility into your digital assets and cloud infrastructure, you can assess current risk exposure; prioritize high-risk assets; and take action to reduce risk.
2. Secure your endpoints: Continuously probe and monitor your network to detect new endpoints, whether from new employees working from home, IoT and mobile devices, or new digital vendors added to your supply chain.
3. Continuously monitor for out-of-date systems: Maintain an up-to-date view of unpatched or outdated systems by automatically and continuously monitoring your network. Unlike periodic security audits, continuous monitoring keeps a constant check on emerging risk, such as a system that requires an urgent update. Rather than hunt down at-risk systems, set up alerts so you’re notified in near-real time the moment hidden risks are detected.
4. Patch vulnerabilities regularly: Patching outdated systems can significantly reduce cyber risk. Indeed, a study by Marsh McLennan found that a poor patching cadence (a measure of how many systems within an organization’s network are affected by vulnerabilities, and how quickly they remediate them) is strongly correlated to cyber incidents. Consult your vendors to determine replacement options if they no longer support a system or software.
5. Continuously monitor third parties: While vendor security assessments have their place, they only provide a point-in-time view of risk. Instead, continuously monitor the security posture of your supply chain partners. Set alerts so that you’re notified the moment a vulnerability is detected within a vendor's ecosystem, such as an unpatched system, or when a vendor experiences a security incident. Then work collaboratively with your vendor to reduce risk to everyone in the supply chain.
The criticality of updates cannot and should not be ignored. However, by taking an integrated approach to cybersecurity risk management you can gain visibility into exposure from outdated software risks and other security flaws that hackers exploit. See how Bitsight can help you achieve this insight and focus your investments and resources where they are most needed. Request a free demo today.