Outdated Software Could Cost Much More Than An Upgrade

It’s nice when we own something and it’s completely paid for. Think of a car or large purchase you financed. Once it’s paid off, you feel great: money is freed up and it’s yours.

However, often in these situations, you’ve poured a few years of use into it by the time it’s paid off. When something finally breaks, the warranty has probably already expired. Then, you’re forced to decide if you are going to put money into this old car or appliance or if it’s time to upgrade instead.

When you don’t upgrade your car or appliances, there may be some small risks in terms of missing out on improved safety or the newest features, but the biggest risk will be monetary.

Businesses sticking it out with old software isn’t much different, but the consequences can be much worse.

Software is sometimes pricey, and often, the outdated software will still technically work. We get used to the layout and processes, and it becomes easy to use. After five or ten years, you know where all the buttons are. Your documentation for employees might be based this particular version, and you may not have the time to overhaul your reference materials.

The issue with this is, while you’re happy to run the 2015 version of a software, that software company has released a new version in 2016, 2017, 2018, etc. Usually, they will still update old versions for a short time after new ones come out.

Once these software companies stop providing updates, however, any known vulnerabilities will remain unpatched and any new vulnerabilities that are discovered will not be addressed.

If you know the software inside and out, so do the hackers. It’s far easier for them to utilize a known flaw than attempt to break a new and unknown software. The longer you wait to update, the more likely it is that your data or network will be compromised.

Yes, paying for that new version of software is not something we want to do, but in the long run, it may save you a lot of money and headaches.

Software as a Service (SaaS) also makes this a little easier to deal with. Rather than paying a huge amount one time upfront, you can often subscribe and pay a smaller amount monthly or yearly that allows you to install new versions as they come out. This usually includes security patches and updates too.

Another consequence of holding out on updating old software is the possibility that your PC may need to be suddenly replaced or updated. If it crashes or becomes too slow to reliably use, you can lose that program. A lot of software is provided via download, and it may not be available for download once it’s time for a new PC.

In addition, if you bought something that was written for Windows 7 and have not upgraded in the past six years, it may not be possible to use that program if you are stuck five versions behind. Also, since you paid the vendor long ago, they often won’t help you reinstall the old software; instead, they’ll require you to buy a current version before assisting.

We understand that staying with what you’re familiar with is easy. Since you own the software, it carries a financial benefit as well. However, the short-term financial gains risk data loss and essential parts of your business becoming unrecoverable in a disaster. Look at software updates like insurance: you are paying to keep yourself as protected as possible and working to minimize any potential risk.

Four Tips For Next Year’s IT Budget

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

As the year winds down, you’re undoubtedly working out plans for 2016, and preparing your IT budget is top on that list. Every year presents unique network, server, and technology challenges that need to be addressed.

The increasing ubiquity of cloud services is something small business owners need to consider, but working out the basic budget items should take priority. Here are four tips to give your business a little bit of breathing room when it comes to planning next year’s IT expenses.

Think in the long term
When planning your IT budget, it’s important to consider both short-term and long-term investments that you’ll be making for the sake of your business.

[Read more…]

Is Budget A Good Metric For Security?

Michael Menor is Vice President of Support Services for Tech Experts.

Is budget a good metric for security? In other words, if an organization wishes to improve its security, is spending more money an appropriate response? Furthermore, how can an organization ensure that any additional budget it allocates to security is spent wisely?

Talking about an organization’s security program in terms of its budget is something we are quite accustomed to. We often hear people discussing security spending in the context of evaluating an organization’s security posture.

For example, it’s not uncommon to hear statements such as “In an effort to improve its security, the organization has increased its security budget by 30%.” Of course, it goes without saying that a sufficient budget is necessary to accomplish anything.

Additionally, and perhaps quite obviously, it is important to note that larger organizations will need larger budgets to achieve the same level of execution.

What seems to be missing from the discussion, however, is the answer to a slightly different question: Does the organization spend its budget effectively?

A proper budget is indeed necessary, but it’s equally important how the budget is spent. Not every dollar spent will have the same impact on security posture.

Sometimes, we think about budget in a backwards manner. Oftentimes, clients say things like “I need a firewall,” “I need an IDS,” or “I need a DLP solution.”

The security organization will then communicate the business’ need for each of these requirements to the executives and make the case for the required budget accordingly.

If a new requirement arises down the line, the client will request more budget, which it may or may not receive.

The issue with this approach is that a security organization’s respective security programs are not tasked with things like “buy a firewall.”

ПечатьJust purchasing a network firewall will not stop an attacker from walking into your organization and physically plugging his computer into your network.

Maintenance and having the proper security policies in place is as equally important as having the appropriate equipment.

Take a look at this perspective. You never buy a car just to drive it around aimlessly. It involves proper maintenance and there are always risks that need to be identified each time you’re driving.

You need to mitigate, manage, and minimize risks and that’s essentially what the security organization does. Those risks can then be broken down into realistic and attainable goals and priorities.

Once we look at that list of goals and priorities, we soon realize that we have a framework in which to build our security operations. It is into this framework that we can drop all of our operational requirements.

Each goal generates a set of operational requirements and these spell out the peoples, processes, and products required to meet that specific goal.

It’s worth noting that each operational requirement may take one or more products to address. Similarly, each product may address one or more operational requirement.

While keeping that in mind, it’s possible to quickly build a matrix that will allow security organizations to map and optimize the products that best address the operational requirements.

It will take some time to transform budgetary discussions from product-centric to operation-centric.

However, as executives and boards see the direct correlation between increasing budget and improved security posture, they will be more likely to approve future budgetary increases.

So, getting back to the original question: Is budget a good metric for security? I would say that budget is not a metric at all, but rather a means to address operational security requirements.

(Image Source: iCLIPART)