This one change could protect your systems from attack. So why don't more companies do it?

One 'boring but really important' change could improve your security posture significantly. But not everyone does it.
Written by Danny Palmer, Senior Writer on

If there's one thing an organisation should do to protect its network from cyberattacks, it's turn on automatic updates for security patches so cyber criminals and other malicious hackers can't exploit vulnerabilities that have already been fixed.

The advice comes from the UK's National Cyber Security Centre – the cyber arm of GCHQ – which recommends applying security patches as soon as they're available as it's one of the simplest things an organisation can do to prevent intruders entering their networks.

"Patching is now so much easier and so much less risky than it was when we first started doing this stuff. If there's one thing that anyone out there wants to take away, turn on automatic updates, please – even if you're an enterprise, turn on automatic updates," said Dr Ian Levy, technical director of the NCSC, speaking at the cybersecurity agency's CYBERUK 2021 virtual event.

"The sort of things we've seen over the last six to nine months like the big vulnerabilities and the big incidents, a lot of them come down to people not patching properly. And I know it's really boring but it is really important."

SEE: Network security policy (TechRepublic Premium)

Levy detailed how the NCSC contacted organisations after the recent vulnerabilities in Microsoft Exchange Server came to light to encourage them to patch their systems – yet some of these still took weeks to apply the updates, all the while potentially leaving themselves open to cyber criminals and other hostile hacking groups actively looking to exploit the flaws.

"People were taking weeks and weeks to patch, even though there was all the noise in the news, even though we were individually contacting them to say 'hey, you've got a vulnerable Exchange server, please patch'," he explained.

When vulnerabilities are made public, cyber attackers will actively look for networks that have yet to apply the patches. But information security teams can beat criminal hackers to the punch by examining their own networks for potential vulnerabilities, such as unsecured internet facing Remote Desktop Protocol (RDP) ports.

"Think about how people select victims – look across your external-facing stuff and you can see exactly what they can see," Levy said. "As soon as RDP pops up, run back home and turn it off because it shouldn't be connected to the internet anymore".

But Levy also warned that some organisations don't help themselves at all when it comes to applying security updates, noting that the NCSC is aware of over 1,000 endpoints in the UK that are still vulnerable to BlueKeep, a critical vulnerability in Microsoft's RDP implementation that allows attackers to remotely execute malicious code on machines.

It was detailed and patched two years ago but the organiations that haven't applied the update are still at risk of a vulnerability that is popular with cyber-threat groups.

"That's not okay, that's not been patched; we know that's one of the favourite ways of various threat groups to get in – external-facing unpatched vulnerabilities, you kind of deserve what you get if you're on that space these days!" said Levy.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

However, the majority of organisations are taking advice on board and learning from major incidents like the SolarWinds supply chain hack or the Microsoft Exchange Server attacks – and one of the key things organisations need to do to secure their infrastructure from cyber threats is to provide their information security teams with the resources needed to do things like apply the patches.

"This can be done, there are organisations, companies, sectors that do this effectively. This isn't a technical problem anymore, it's an investment problem, it's a skills problem, it's making sure you use the right capabilities in the right way and make the right investment choices," said Paul Chichester, director of operations at the NCSC.

"This is not something that's impossible to fix. Even the highest-end nation state, you can defend against those capabilities and the technology and capability is out there," he added.

SEE: Ransomware just got very real. And it's likely to get worse

The NCSC also hopes that the publicity around these high-profile cyber events is reaching the boardroom and that directors are taking notice and asking questions about how they can ensure they're not the next organisation in the news for being breached.

"My sense is the benefit of having SolarWinds as a shorthand for a much wider set of activity is there is a bit more conversation in the boardroom; there's been a lot of coverage on this incident," said Lindy Cameron, CEO of the NCSC.

"My hope is CEOs are asking questions of their CISO and actually demanding to know there's a system in place to make sure they can patch on a regular basis," she added.



Revealed: The top 11 malware strains you need to worry about

Revealed: The top 11 malware strains you need to worry about

Yes, robots have taken over (So why don't we care?)
Software engineer explaining to controlling robotic welding process to welder in factory. -

Yes, robots have taken over (So why don't we care?)

AI & Robotics
Microsoft's new security tool lets you see your systems like a hacker would

Microsoft's new security tool lets you see your systems like a hacker would