Yes, you need to update Windows security
January 22, 2020
Martin Søndergaard, CTO

Windows security: Let me start by drawing a picture for you…

Carsten from IT suddenly comes rushing in during the planning of next year’s development projects.

“Turn the computer off! Turn the computer off!!” he shouts and charges across to the open laptop on the table. Turn your computers off, we are under attack!”

His eyes are filled with panic. Out on the corridor you can hear other IT colleagues in the other rooms. All with the same message: “SWITCH OFF!”

Although this sounds like a scene from a film, the picture is not very different from what happened at Mærsk Olie & Gas, when the “NotPetya” attack struck the billion-strong enterprise in 2017.

Windows security update now! The threat is continuously growing

You may also remember the characteristic name of the ransomware WannaCry? The security breach that the malicious worm used had actually been closed two months before the worldwide attack – if, that is, one had updated one’s Windows system.

Many had not.

It is entirely clear, in my view: there is no reason to expect that the threat from hackers will become less in 2020, even though the two examples above are from 2017.

To give you an idea of the scale of the attack (and yes, you should be terrified), I have found a couple of statistics:

  • There are on average 2,244 hacker attacks per day across the world. That is one every 39 seconds.
  • On average, a ransomware attack costs companies almost DKK 900,000.
  • On average, every employee has access to 17 million files.
  • 82% of employees consider that they lack cyber-security training.

Can you see where I’m going?

Yes, correct. As an IT manager, you have a huge responsibility for your company and your colleagues to be geared up for the battle against hackers, and one of the most important tasks that you have is to ensure that all machines with online access are updated.

The greatest challenge for Windows security updating: everyday life

If you have broadly kept up with developments over the last couple of years, the statistics above will not come as a surprise. You will certainly also know that system updates are the crucial tools for maintaining a strong IT defence.

The big question is this: how do you get the staff to carry out the updates?

Because the timing of updates is always bad. One is always in the middle of one thing or another. In the middle of a presentation, in the middle of an important task or in the middle of a fantastic 5-minute video of a drummer pounding out an Earth, Wind and Fire number which Jan-Erik from over in production has just sent.

Nevertheless, you have to set deadlines for when a system update must have been carried out. Typically, we recommend that you give staff between 14 days and a month to carry out the updates.

This gives them time to fit them into their calendars, and if you warn and inform them on updates in good time, your colleagues will also not feel quite so irritated by needing to click on “Update now”.

Update wisely: choose IT-savvy front-runners

You won’t get around the fact that all the machines in your business need to be updated to the latest systems if you want to keep the defences up against the threats from the internet.

Nevertheless, it is often wisest to update the individual machines in a strictly prioritised sequence. This because timing may not be the only challenge if you have to update 1,000 computers.

Risk of system paralysis

You may hit other parts of your IT infrastructure with large system updates. You risk that programmes which previously worked perfectly are suddenly unable to talk to each other.

If you roll out a Windows update to all 1,000 users at once, you risk paralysing large parts of the operation, with major costs as a result.

In order to anticipate any problems before an unintended bug is pushed out to all your colleagues, we always recommend carrying out Windows updates in the following sequence:

  1. Computers in the IT department
  2. Staff computers in non-critical parts of the business
  3. Staff computers in the rest of the organisation
  4. Computers in any production machines that are critical for the business.

When you follow this sequence, you ensure that the mistakes and problems that an update may generate are spotted before they hit vital parts of the business.

Let your IT people catch the problems

By starting the updates in the IT department, you also ensure that it is the most IT-savvy staff who are first confronted with any challenges that the updates may bring. Your IT department thus has the opportunity to correct the faults and put the affected systems right before the updates affect the rest of the organisation, in order in this way to avoid both production losses and unnecessary irritation for your colleagues about the system updates.

Although it may sound strange, the second point may in fact be more important than the first. If you irritate your colleagues with the updates, this may be the exact reason why they press “Postpone update” next time you send a Windows update in circulation.

It is here that the danger is found, since with 2,244 attacks a day, the next WannaCry is just around the corner, and suddenly you will become Carsten, running into the meeting room with warning shouts.