I've Got Antivirus – Why Do I Need to Patch?
Lots of people are still nervous when it comes to installing security updates. Maybe you once did an update and it ended up taking ages, just when you were in a hurry.
Perhaps you're scared that the update might include changes that you've already decided you won't like, even though their purpose is to improve security. Like the time Apple bumped up the minimum iPhone passcode length from four to six digits.
Or perhaps you know someone who's still using Windows XP, which hasn't had any security updates for ages, and they've breezily assured you that they've been fine for years, so why worry?
After all, if you've got Sophos Home, which quietly keeps itself up-to-date without making you wait for multi-gigabyte downloads once a month, and without those scary reboot warnings saying "do not turn your laptop off right now.”
How come that's not enough on its own?
In worldly terms, if you've got a big dog keeping watch over your yard, what's wrong with leaving the key under the doormat?
In three words, the answer is: defense in depth.
Security updates aren't known colloquially as "patches" for nothing. Like patches for a punctured bicycle tube or a tear in your favorite jeans, software patches often seal off security holes that crooks already know about.
In other words, patching promptly doesn't just improve your general resilience to cybercriminals – it also renders you immune to whole classes of possible attack.
Patching a known security hole isn't like putting a better lock on a door that the bad guys keep trying to sneak through. It's like removing the door altogether, so there's no longer any way through at all.
A good example is an exploit known as EternalBlue. ("Exploit" is the jargon name given to a working hack that can automatically be used to break in via a known security hole.)
EternalBlue was originally developed and kept secret by the U.S. National Security Agency (NSA), but criminals managed to get hold of it. Notable attacks that used it include the data-scrambling virus called WannaCry in May 2017 and the disk-wiping malware called NotPetya that followed in June 2017.
Those attacks were huge news at the time, and from their prevalence you might assume that the EternalBlue exploit took everyone entirely by surprise.
But Microsoft's patches had sealed off the EternalBlue hole back in March 2017. (Microsoft patches are officially delivered on "Update Tuesday" on the second Tuesday of the month, but still colloquially referred to as "Patch Tuesday.”)
Anyone who had applied those patches any time in the two months before WannaCry showed up was in really good shape. The exploit simply wouldn't work against them at all.
Sure, their antivirus might have stopped the attacks anyway, but it didn't have to. Users who applied the patch had permanently sealed up the hole on which the exploit relied in the first place.
So, simply put: patch early, patch often.
Make patching a part of your cybersecurity routine on your laptops and your mobile phones. And don't put it off "because we haven't heard of any attacks yet."
Patching isn't a replacement for a great security solution such as Sophos Home, but having a great security solution like Sophos Home isn't an excuse to skip those patches!