From the archive – first published 19/05/2017
Avoiding Cybersecurity Risks: A 4-Point Plan for Your Organisation
A Wake-Up Call: Learning from the NHS Cyberattack
The recent NHS cyberattack served as a stark reminder of the dangers of outdated systems. The organisation was still relying on obsolete software, including versions running on Windows XP, making them easy targets for malware. These attacks often exploit vulnerabilities in unpatched systems, and unfortunately, many organisations find themselves in the same position—leaving their infrastructure exposed due to poor security practices.
I’ve encountered numerous organisations where IT teams prioritise certification criteria, such as ISO27001, but overlook fundamental security gaps. One of the biggest challenges is the difficulty of upgrading—many businesses continue to use outdated software or systems that require complete rewrites to modernise.
While no solution can guarantee total security, taking proactive steps can significantly reduce risks.
The Upgrade Lag Problem
A standard security measure is restricting software installation to IT specialists. In theory, this should prevent malware infections. However, it does not address other vulnerabilities, including “Upgrade Lag”—the delay in applying critical system updates.
System administrators understandably need time to test upgrades before deployment, but delaying them for too long creates serious security risks. Employees often grow frustrated by their inability to update necessary software, while IT teams hesitate to grant the required permissions, fearing potential issues. Many organisations still restrict software installations, but this approach stifles progress and creates avoidable bottlenecks.
A better approach is to empower staff, even those without formal IT roles, by granting controlled permissions to install essential updates. Recognising the technical skills already present within teams can improve security and efficiency. To mitigate risks, IT departments can use monitoring software to track installations across the network.
The Pitfalls of Focusing Solely on Certifications
Certifications such as ISO27001 play an important role in cybersecurity, but organisations should not lose sight of their primary objective—ensuring robust security. Compliance alone is not enough; what truly matters is the effectiveness of security measures in real-world scenarios.
The Cost of Delayed Updates
The “if it ain’t broke, don’t fix it” mentality is a major security risk, especially in today’s fast-evolving digital landscape. By the time an outdated system becomes a critical security liability, upgrading it can be extremely costly. Finding experts familiar with legacy systems becomes increasingly difficult, and in many cases, systems must be completely rebuilt to meet modern security standards.
Why Moving to Web-Based Systems Can Help
One effective way to mitigate security risks is by transitioning to web-based systems. With cloud-based applications, there is only one version to maintain, simplifying updates and backups. If one server fails, another can take its place instantly. Additionally, web-based systems offer improved data security and facilitate policies like Bring Your Own Device (BYOD), reducing hardware management costs.
For example, I rely on web-based tools such as Microsoft Word, Excel, Gmail, and Google Calendar. These applications run smoothly without requiring manual updates beyond regular browser maintenance.
Managing Essential Software Upgrades
While some applications must still be installed locally, managing upgrades efficiently is crucial. Organisations must focus on reducing “Upgrade Lag” to avoid unnecessary security risks. One strategy we use is Jubilee Sprints—a dedicated period each year where we focus on addressing system upgrades, tackling technical debt, and improving user interfaces. By identifying high-risk areas and proactively resolving them, we ensure that upgrades are not left until they become major security concerns.
A Simple 4-Point Plan to Avoid Cybersecurity Incidents
To prevent cybersecurity threats similar to those that affected the NHS, consider implementing this straightforward plan:
1. Identify IT Experts Within Departments
Encourage each department to identify employees with IT expertise, even if they do not have formal IT roles. Provide them with the necessary permissions and support to ensure systems remain up to date. Similar to first aid training, these “departmental IT experts” can help maintain and upgrade critical applications.
2. Enable Device Independence
Ensure that if a device fails, employees can quickly switch to another without disruption. Identify key devices and migrate essential functions to web-based systems, reducing reliance on specific hardware.
3. Implement Jubilee Sprints
Schedule an annual or quarterly “Jubilee Sprint” dedicated to tackling Upgrade Lag. Prioritise quick wins—systems that can be updated easily—and implement long-term strategies to prevent future delays.
4. Proactively Prevent Upgrade Lag
Develop a long-term strategy to minimise reliance on systems requiring complex upgrades. Where possible, opt for web-based solutions and implement a structured approach to applying updates as soon as they become available. Delaying updates only increases costs and complexity in the long run.
By taking these proactive steps, your organisation can significantly reduce cybersecurity risks while maintaining an efficient and secure digital environment.
