The easiest way to improve a device's security is to make sure it's using the latest version of its operating system, browser, and other software. Updates often patch known vulnerabilities or bolster an app's defenses. But a new report from BitSight, the self-described "standard in security ratings," shows that many organizations don't update the operating systems or browsers of the many devices they have to manage.
BitSight said it analyzed "
almost three times as likely to experience a publicly disclosed breach." Note the "publicly disclosed" bit--chances are good that other groups are compromised because they use outdated operating systems and either fail to notice the intrusion or keep it hush-hush.
Another 8,500 organizations have outdated browsers on more than 50% of their computers, BitSight said, which doubles their chance of suffering a publicly disclosed breach. This is particularly worrisome given how easy it is to install browser updates. Google Chrome and Mozilla's Firefox automatically update themselves by default. Microsoft Edge and Apple's Safari, however, are usually updated alongside their respective operating systems. Chances are that organizations using those browsers who fail to install OS updates also use old versions of Edge or Safari as a result.
BitSight connected its findings to WannaCry, a ransomware attack that took the world by storm in May, and which exploited a vulnerability in Windows that Microsoft had patched back in March. The attack spread in large part because many organizations fail to keep their software updated. This prompted Microsoft to release a patch for Windows XP, 8, and other legacy versions of the operating system to halt the attack.
Some organizations have legitimate reasons for using outdated versions of Windows and macOS. Critical software might not be compatible with modern versions of the operating systems, which forces these companies to decide between finding an alternative solution or sticking with the version of Windows or macOS that fills their needs. That isn't an easy decision to make--especially with attacks like WannaCry making headlines.
This can in turn lead to problems with outdated browsers. In addition to bundling browser updates with new OS releases, companies often require you to use a modern OS if you want access to newer versions of their browsers.
BitSight's report shows just how dangerous failing to update these critical aspects of a device can be. Companies release updates for a reason, and it's not always because they have some new and exciting features. Often, it's because a vulnerability was disclosed, either publicly or privately, and they want to make sure their customers won't be affected by it. Failing to install those updates puts all those efforts to waste.
You can find the full BitSight report here (though you'll have to provide some personal info to download the whole thing), and the key findings were summarized in a press release.