The Importance of Protecting Your Customers' Data

« Blog

The May 2017 cyberattack known as “WannaCry” was one of the most far-reaching ransomware attacks in history, affecting hundreds of thousands of computers in more than 150 countries. Victims of the attack included the British National Health Service, FedEx, the Russian Interior Ministry and Spanish telecom giant Telefonica. That attack cost those businesses more than money—it also eroded the trust their clients and customers had placed in them, damaging their brands and hurting their reputations.

What’s especially vexing about this ransomware attack is that it could have been avoided. All the victims of the attack would have needed to do is install a Microsoft update in March—one which would have fixed the security flaw which left them vulnerable—but hundreds of thousands of businesses didn’t, which has security experts asking “Why?”  Why, when critically important security updates are made freely available do so many users not take advantage of them?

Alarming Statistics

Several recent studies have found that a surprisingly large number of people, including security experts and software engineers, either take weeks to install critical software updates, like the one which would have prevented the WannaCry attack, or don’t install them at all. Here is just a sampling of what those studies found:

  • Almost half of computer users in a University of Indiana/University of Edinburgh survey reported being “frustrated” updating software
  • Only 21% had a single positive story about software updates
  • Just 64 percent of security experts update their software automatically or immediately upon being notified a new version is available
  • Among regular users, the number who automatically update is far smaller, just 38%
  • Among software engineers, the average time to install an update is 24 days
  • Regular users take almost twice as long to update their computers—on average, 45 days

Updates Are Confusing and Interrupt Work

The companies which put out software updates are partly responsible for the lack of attention users give them. Here are 3 of the top reasons users don’t install recommended updates:

  1. Concern about the impact of updates: many users are concerned that updating software could cause problems with programs they rely on regularly. This is especially true for companies which have many computers running highly specialized software.
  2. Updates interrupt work: updates typically require that users stop whatever they’re working on at that moment and restart their computers, a process that can feel interminable when users have important work to complete or are facing tight work deadlines. 
  3. Updates aren’t adequately described or prioritized: the update which would have prevented the WannaCry attack was released on March 14—it was one of 18 updates released on that date. Half were described as “critical;” the other half were labelled “important.” Said differently, companies don’t provide users sufficient information to determine which updates they need to take seriously. 

How Software Companies Can Help Solve the Problem

There’s a reason security experts and engineers, although themselves sometimes slow to install updates, generally do so more quickly than regular users—they understand the potential vulnerabilities those updates might fix. That puts the onus on software companies to do a better job of explaining to users why updates are critically important, and which updates are essential.

Elissa Redmiles, a National Science Foundation Research Fellow whose work focuses on understanding how users make security decisions, recommends that software companies must also do a better job making updates more seamless and less disruptive:

“Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically—downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.”

Every interaction your business has with customers--from email to website traffic to a transaction to a phone call—matters. That includes protecting their sensitive data, housed on your computers. If your customers' data is compromised, they won't blame the software company--they'll blame you, and nothing will destroy the trust you’ve worked so hard to build more quickly or irrevocably than a security breach. That means you need to install every software update, and do so as soon as possible after it’s made available.