Patches & Updates & GDPR

The main thrust of the GDRP regulations is to ensure the approved use and protection of personally identifiable information.

I discussed what affects this may have on owners of websites and blogs in the post What Does GDPR Mean For Your Website?

For anyone who administers a computer system, one of the most important things you need to make sure of is that you’re on top of patches and updates.

What Have Patches & Updates Got To Do With GDPR?

The issue isn’t that without keeping on top of the latest software updates you may be leaving yourself open to security issues which may leak personally identifiable information.  (That is pretty bad by the way).

The issue is that without keeping systems up to date you WILL be leaving yourself open to large fines.  Under GDPR you are responsible for taking reasonable steps to protect personally identifiable information.

Obviously keeping your infrastructure patches up to date is good business practice.  I’m sure we’re all doing that – but with every system?  Every device?

Audit Everything

Having an audit of every system, every device is good business practice for any number of reasons.  For GDPR – it will help you ensure that you have secured everything to the best of your ability.

Software – operating systems, database software, ERP etc., should be relatively easy and usually will notify you of updates.  But what about that WIFI access point, your internet router, that firewall no-one really understands?

Everything connected to your network is a potential security issue.  Worse, they’re likely to have patches available that you haven’t applied.

And once you’ve done an audit what then?  A one off update to everything isn’t going to cover you.  Maybe regular checks won’t be enough if you go a year between checking for updates.

Covering Yourself

No matter what you do, how good you are there is always the potential for a security leak.  You need to be able to show that you have done as much as is practically possible to protect your data.

Every device should have a log for what steps you have taken, when the last updates were checked and applied.  This can be a general change log or a log for each individual device.

But don’t make things too hard for yourself.  You can’t check every manufactures website every day.

Many vendors have feeds you can subscribe to for security issues and updates.  Create a special securityupdates@ email address and use it to subscribe to all the lists.

Dangers of Old Kit

Using end of life devices is not necessarily a bad thing.  But if the manufacturer no longer supports the device, there will be no new patches or firmware.

If your device has been cracked, or uses a protocol that is no longer secure, what can you do?  With no option to switch to a safe protocol and no update forthcoming, well, get ready to splurge the cash.

If you know a device has a known weakness and you’ve done nothing you’re in deep doodoo.  And if your device has a known weakness and you didn’t know – you’re in deep doodoo.

But by taking a sensible practical approach you can limit the risks to leaks AND perhaps synically from a business point of view limit those fines.

Hey – on the bright side though, IT is never boring – whatever anyone on the outside may think.