Stop disabling automatic updates, people!

If you're regularly delaying the roll out of patches and updates, then you're part of the problem. But then companies like Microsoft, Apple and Google are also a part of the problem.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor
Stop disabling automatic updates, people!

You're either part of the problem, or part of the solution, and when it comes to the IT industry, there's plenty of blame to go around.

Malware attacks such as WannaCrypt are a perfect example of why the prompt patching of PCs and other devices is essential. But patching can be a painful process, and companies such as Microsoft and Apple have a big part to play in encouraging users to patch quickly.

See also : Five features the iPhone 8 needs to have (but probably won't get)

One of the best, most effective mechanisms of defending against malware attacks is patching vulnerabilities. After all, an attacker can't sneak in through an open window if the window has been bricked up. But patches do you no good if they're not installed promptly.

And by prompt, I don't mean weeks or months, but days, if not hours. Tech is fast-paced and infosec doubly so, so there's no time for umming and ahhing, because you're either part of the problem or part of the solution. I know that it's not always possible to get patches installed immediate, and roadblocks can get in the way of deployment, but you need to have an effective plan for getting patches installed, and a plan for what to do in the event of a problem.

Not installing patches and burying your head in the sand is not a solution.

One thing that needs to end is the disabling of automatic updates. Yes, I know that if you're one of those people who has disabled automatic updates on your systems that you probably have a well-worn excuse for why you do it. And that excuse may have some validity to it. After all, patching is painful. It can break things. Duff patches can come down the pipe and cause headaches. And it takes time and interrupts your workflow.

But you still need to do it!

And the most effective way to patch systems is to automate the process. And you mess with or disable these mechanisms at your peril.

How to securely erase any hard drive, SSD, flash drive, iPhone, iPad or Android device

Over the decades I've come across countless articles and how-tos on how to disable automatic updating on a whole raft of systems. While most of these articles were well-meaning, they were also dangerous because they showed people how to do something that they didn't really understand. The truth is that if you don't know how to prevent a patch coming in automatically, you probably shouldn't be messing with your operating system, and probably don't understand the implications of what you're doing.

Ten years ago this might have been something that you could get away with, but fast-paced malware such as WannaCrypt is evidence that this isn't the case any more. The timespan from a vulnerability being disclosed to patches being released to a widespread attack can be a few weeks.

But as an industry we also need to acknowledge that patching is a huge and painful process all round, and that companies like Microsoft and Apple are part of the reason why patching sucks, and have a huge part to play in making the process a better, smoother one.

Rather than waste time raking up the past and pointing fingers, I'm just going to jump straight into ways that the patching process could be improved. Some companies already score better than others, but as a whole the industry could do a lot better.

#1: Don't mix other nonsense in with security patches

Allowing a company to patch a system automatically relies on trust, and companies should recognize that and do their bit to not betray that trust. Mixing in promotional junk or feature changes with security patches - yes, I am pointing the finger at you now, Microsoft, for the way you pushed Windows 10 onto users - is just plain deceptive.

Stop doing it. Security patches should be nothing more than security patches.

#2: Patching should be as painless as possible

Patching should be as quick and as painless as possible. Users shouldn't have to download a new operating system to get patches, and there shouldn't be any changes to workflow or how things work unless absolutely necessary.

Ideally - and I know I'm asking a lot here - patches shouldn't require a reboot, or reboots should only be done when absolutely necessary. And ideally, if a reboot is required the operating system should return to the state it was prior to the reboot, complete with whatever apps and documents that were open.

#3: Patch problems should, ideally, be few and far between

Releasing buggy patches is a big breach of trust, and every time it happens, it erodes trust in the patching process as a whole.

Code will never be 100 percent perfect all the time, but that should still be the goal. The "ship now, patch later" attitude that is pervasive throughout the tech industry is corrosive and damaging.

#4: It should be easy to roll back problem updates

Nothing would give users and IT admins alike the confidence to apply patches more than knowing it's easy to roll back updates in the event of a problem.

The situation as currently exists with Apple's iOS platform where users can't easily roll back an update, and just have to wait for yet another patch to come down the line is a really clumsy approach to the patching.

iOS 10.3: 'Power User' tips and tricks

See also:

Editorial standards