The CrowdStrike tech security outage in July revealed the true interdependence—and fragility—of global computer systems. Following several high-profile data breaches, policymakers are calling on businesses to do more to fix code weaknesses and protect systems from cyber criminals.
A new study highlights one simple change companies could make: updating software sooner after improved versions hit the market. The research finds that some 60 percent of US organizations continued to use a popular web-server software with known severe security flaws long after safer versions became available.
“Even some IT experts I’ve talked to are surprised by the results.”
Why? The cost of software updates—both in terms of time and money—may cause businesses to delay manual updates to vulnerable systems, says Shane M. Greenstein, the Martin Marshall Professor of Business Administration at Harvard Business School.
“Even some IT experts I’ve talked to are surprised by the results,” says Greenstein. “They knew many companies were delaying updates, but not to the extent our data shows.”
The study’s findings illustrate just how exposed many businesses’ computer systems are to hackers—and often because companies simply fail to manually update software with fixes to sometimes major security vulnerabilities, Greenstein says. He hopes that the results could prompt policymakers to take tougher stands against businesses that don’t quickly disclose and act upon known threats to their systems.
Greenstein wrote the paper with Raviv Murciano-Goroff, an assistant professor at Boston University’s Questrom School of Business, and Ran Zhuo, an assistant professor at the University of Michigan’s Ross School of Business.
The tradeoffs of software updates
The team’s research coincidentally debuted at a time of intense focus on software security updates, after a massive tech meltdown in July impacted millions of Microsoft Windows devices used by organizations worldwide, including airlines, hospitals, emergency call centers, and banks. The cause of the outage: An undetected flaw in a routine automated software update to the Falcon security platform managed by CrowdStrike, the giant cybersecurity company.
“What happened in CrowdStrike is an illustration of the risk of picking up an upgrade immediately.”
Greenstein’s work focuses on manual
software updates, unlike CrowdStrike’s automated updates, but he says the two situations point to the inherent risks of acting too fast or too slow when it comes to fixing security vulnerabilities.
“There are always tradeoffs,” Greenstein says. “What happened in CrowdStrike is an illustration of the risk of picking up an upgrade immediately, because from time to time, there’s an error in them. It’s rare, but it happens. The other problem is more [prevalent]: delaying updates and exposing systems to cyberattacks.”
That growing incidence of cybercrime in recent years also informed the researchers’ work. The authors point to breaches as wide ranging as those targeting credit bureau Equifax and the UK’s National Health Service, which could possibly have been prevented if organizations had run available software updates sooner.
Tracking software vulnerabilities
For their study, Greenstein and his co-authors examined security vulnerabilities in open-source Apache HTTP. The popular web-server software was used by more than 150,000 medium and large US organizations between the years 2000 and 2018, allowing the authors to examine a large dataset over a long time period.
During those years, Apache issued 115 software updates, mostly aimed at fixing 28 severe vulnerabilities and 130 less severe vulnerabilities.
Using data from Apache, the Internet Archive’s Wayback Machine, and other sources, the authors could track the server software used to host each organization’s website over time—and when hosts did or didn’t update software with new versions.
More than half of organizations at risk
The authors found one somewhat encouraging result: About half the firms fix severe vulnerabilities within a year and routinely make it to the “frontier” of updates, switching to new software versions somewhat quickly after security-vulnerability alerts were issued and new fixes made available.
Then again, roughly half of firms were “way back from the frontier,” says Greenstein, not performing updates for long periods of time, such as two years, if ever, following Apache alerts about software vulnerabilities and fixes.
The average firm accumulated two severe vulnerabilities due to delayed manual updates after alerts were issued and fixes provided, according to the study.
But the most alarming finding: Over the 18 years, on average, 57 percent of organizations have operated with a severe vulnerability, even after the vulnerability was publicly disclosed and a fix was available, the research says.
Is it all about costs?
The authors found evidence that one of the main drivers of the delays are the costs associated with software updates, both in terms of money and lost time if systems are shut down to perform complex upgrades. The authors also suspect that some companies simply wait to perform software updates on an annual basis.
“Cybercriminals show up when they show up.”
“People have told us that many organizations are on yearly calendars to update their security software,” says Greenstein. “They’re just taking a calculated risk. Vulnerabilities don’t work on a calendar. Cybercriminals show up when they show up.”
You Might Also Like:
Feedback or ideas to share? Email the Working Knowledge team at hbswk@hbs.edu.
Image: Image by HBSWK with assets from AdobeStock/Olly and AdobeStock/Wolfilser