Many people are familiar with the old saying, “Don’t fix it if it ain’t broke.” It’s usually good advice, although it’s frequently given after you’ve already made a mess of things by trying to “improve” a device or system that was previously working just fine.

It’s tempting, then—especially for those who’ve been burned by this sort of thing—to apply it to computer, network, and data system updates. If it’s working fine, and does everything you need it to do, why mess with it?

Unfortunately, following that sage advice doesn’t always work so well with computer systems. In fact, keeping your systems updated is the one easiest thing you can do to stay a step ahead of the hackers.

Updates and System Security

The reason keeping your computer systems updated is so important is that hackers are constantly on the prowl for vulnerabilities in applications, back-end systems, and operating systems (OSs). Software and OS makers, in turn, try to keep up by regularly providing patches for discovered vulnerabilities. Applying these updates, therefore, ensures that known vulnerabilities are patched and immune from hacking. The longer you go without applying updates, the more likely you are to become a victim.

Why do businesses have such a hard time keeping their systems updated? There are a number of reasons, some worse than others:

• It’s time consuming: Both desktop and server operating system updates can take time to complete, during which they are out of service. This can be particularly vexing in the case of business-critical servers, because downtime can bring the entire business to a temporary halt. Often, one or more system reboots are required, which takes even more time to bring systems back into service.
• It’s risky: There is always a chance that a given operating system patch will conflict with one or more software programs and cause them to stop working. However, the risk of such a conflict is usually quite low, and must be weighed against the risk of leaving your systems unpatched. Keep in mind that this risk only increases as time goes by.
• I’ll get to it later: Procrastination is probably the greatest factor, especially in small- and medium-sized businesses (SMBs). With a limited staff and little or no expertise, it’s easy to find hundreds of other tasks that seem to have a higher priority.

Get Out from Under Outdated Systems

System updates are important—just ask Equifax, which in 2017 was victimized by hackers who stole the names, Social Security numbers, and other sensitive information on almost 150 million consumers; the hackers exploited a server vulnerability that Equifax was aware of but didn’t bother to patch, even though it could have been done easily and with minimal interruption to services and applications.

Just as important, however, is the risk of continuing to use outdated software and equipment. Many SMBs rely on software systems and hardware devices for which updates are no longer provided by their manufacturers (assuming the manufacturers are still in business), or which were not designed to be updated in the first place. Many businesses choose to keep these relics running because they work fine (“If it ain’t broke…”) and because replacing them can be expensive and disruptive. This is a significant risk, because if hackers find vulnerabilities in these systems, there’s nothing to stop them.

Forming Good Cybersecurity Habits

Of all the cybersecurity steps you can take (and should—see our free cybersecurity checklist for details), software and OS patching is usually the easiest and most straightforward to do. The hard part is developing the discipline to do it regularly. Equally important is reducing your risk by phasing out your outdated systems (both software and hardware) and replacing them with newer, less-vulnerable systems. Do these, and much of your cybersecurity job is done.