Tech & Work

Get off the upgrade, patch, upgrade, patch merry-go-round

Too busy to install OS updates? John McCormick says you should think again, as they may be the only patches worth making. He tells you why in this week's Locksmith.


After 35 years in the computer industry, I firmly believe that 99 percent of software programs’ bottom-line business benefits come from less than 10 percent of any program's features.

Am I not correct in saying that word processing's biggest efficiency gains come from spell-checking, block copying, and the ability to edit and re-use text? It’s not the ability to include 15 different font sizes in a single memo that makes word processing programs so important; it's those basic features. Does most of a spreadsheet’s value come from automating the traditional balance sheet or from the option to add color to the reports it generates?

Of course, you must surrender features in order to follow my very strict security rules about the use of .doc format files . The same goes for my rule of accepting any downloads except on isolated PCs.

Stop the madness
In exchange for skipping potentially dangerous downloads and avoiding all those time-wasting and often downright annoying bells and whistles, you’ll receive peace of mind. You’ll also enjoy beating the incredibly high cost of ownership many businesses face due to upgrades. The constant merry-go-round of upgrade, retrain, patch, retrain, and upgrade is less than efficient.

If you are blinded by technology, an analogy might help. It would be easier and more convenient if we could just leave our cars unlocked and have the sort of keyless ignition switches found in racecars. Never again would you need to fumble for your keys. No one would ever be locked out of his or her cars. But you have to balance this convenience against the strong possibility that your vehicle won't be where you left it.

There will always be trade-offs in software, too. They're called unintended consequences. New programs always carry new security dangers.

Contradictions?
The new Microsoft clip art danger I described in the last column is yet another reminder that most network security problems come from failure to remember and follow basic, common sense, security rules. Although the details are often complex, basic security concepts aren't rocket science.

Perhaps the most important and least followed advice I give is to keep your systems up-to-date with the latest patches. Someone is always the first to get hit with a new hacker attack, but there's no excuse for being hit after a fix is posted.

You’re probably thinking I must be nuts because I've just spent most of this column and the last installment railing against software upgrades. If so, you may have missed the whole point.

I object only to worthless upgrades. I also know that because of marketing pressure, upgrades will continue even when they aren't worthwhile to anyone but the vendor. Do you really think companies would produce perfect bug-free software, even if they could? If one did, then the company would quickly go out of business because who would buy new versions to replace perfect software?

Software vendors' entire business plans benefit greatly from the fact that it really is impossible to create perfect software. There's no use complaining about the bugs in new programs. If you don't like surprises, stick to the old, well-known versions. Today's software is just too complex to be perfect.

Now, I'm all for saving money by not upgrading software without a good reason, but there's one place you shouldn't skimp. Where? On operating system (OS) service packs and security patches.

Updating your OS is time-consuming and will probably introduce new and exciting features (that's vendor-speak for bugs). Once there is a known security flaw in your software, it must be patched ASAP.

Hacker clubs, like gangs that require kids to shoplift as an initiation, pressure wannabe members to prove themselves. The youngest hackers will practice their craft exploiting any well-publicized security hole, regardless of whether a patch exists. Even the high-level crackers won't pass up such an easy route into your systems. Don’t fail to plug the leak.

Bottom line
Follow my basic security rules, and you don't need to worry about many newly discovered security flaws. Why not? Because your systems just aren't vulnerable to them.

You can use in-house clip art all you want, but if you never downloaded clip art, you were never vulnerable to the latest Microsoft security hole. If you never accepted .doc files, Melissa was never a threat.

The spirit and philosophy behind my software security rules are identical to my physical security rules. If you always keep the door locked, you'll have fewer problems. You don't need an armed guard watching every office if you restrict access to the entire building. (Just be sure to conduct background checks on all employees.)

On the software side, you can have all the firewalls you want. But, if you violate my basic no-downloads-from-strangers policy, you are essentially leaving the doors unlocked and ajar.

Something to remember
Teenagers drive junkers with bad brakes at 90 mph because they feel immortal. Likewise, many businesses that have never been hit by hackers often think they aren't in any danger and believe that following security rules is a foolish waste of resources.

If you’ve been working with computers in your business for only 16 years, you are an IT teenager. I've been at it nearly four decades—and I now do my racing on the track, not the street.

Think about it.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has worked with computers for more than 35 years. He keeps an entire stable of fine racing automobiles, but beware of trying to take a close glimpse; he also has a loose bull on the property.


Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.

 

Editor's Picks

Free Newsletters, In your Inbox