OK, quick question: Without looking, do you know which apps on your computer are automatically installing updates without your knowledge?
Do you know the last time that any of them installed an update?
If you're anything like me, your answers are probably "not really" and "no." And in light of the recent Crowdstrike meltdown — when a bug in an update to CrowdStrike's Falcon cybersecurity product brought down 8.5 million Windows systems — that seems like a bit of a problem.
Automatic Software Updates: A Good Thing, Mostly
Don't get me wrong — generally speaking, some degree of automatic software updates are a good thing.
For instance, most modern antivirus products will regularly download new virus definition updates so they can watch for malware without you intervening. Operating systems, like Windows and macOS, can install security updates in the background so you always have the latest fixes. And apps like Slack, Microsoft Office, and Google Chrome regularly get updates to fix bugs, patch security issues, and introduce new features.
Automatic updates have undoubtedly saved many people from falling victim to cyberattacks that target security vulnerabilities in outdated software. And the vast majority of the time, these software updates go off without a hitch. But as we saw last week, an automatic update gone awry can wreak all sorts of havoc.
And if you don't know what updates are being applied and when, troubleshooting a sudden issue can be a challenge.
Stay in the Know (as Best You Can)
You may not have much say in when and how the software products you use receive updates. But with a little poking around, you can get a sense of which products on your organization's systems receive automatic software updates.
Start by looking through menus and settings panels to see if there are any options related to automatic updates. You can also check your vendors' websites to see if they publish a changelog of all updates for their products. Many business software providers do in some form or another. You may also be able to contact your vendors' support teams for more information.
Also, if you can, test the updates before rolling them out to the rest of your organization. If you are an IT administrator and you configure how the computer’s operating systems on your network are updated and patched, test these updates first on a couple test machines to make sure all your applications still work as expected. As much as third party vendors try to sync their changes and test them, there is always the possibility of a conflict.
Diversity Is Good — Including in Your Tech Stack
Diversity is a part of every healthy ecosystem, both in nature and elsewhere in life. So when you're planning your technology, find ways to eliminate — or at least mitigate — single points of failure in your critical systems. For example, if you're mostly based on Windows, it might be good to bring some Macs or Linux-based PCs into the mix.
There's no one right way to go about this. And it makes perfect sense to use a single app for certain things (like project management or team chat, for instance). But it's a good idea to ask yourself, "if this one system went down, would we still be able to serve our community?" If the answer is no, you may want to look into ways to diversify that portion of your tech stack.
Transparency Can Help
Software vendors can also make our lives easier by providing more transparency about what changed and when.
Next time you check for app updates on your phone, make a mental note of all the vague release notes for many of the apps you install. Release notes along the lines of, "we're always releasing updates to fix bugs and improve your experience" are not especially helpful. Provide a full readout of changes when you can — even if it's just a support document on your website.
And when you push out an update, consider giving IT admins the option to receive email notifications whenever a product receives an automatic update.
An Ounce of Prevention…
In our modern software-driven world, automatic software updates are a fact of life. And once in a while, they break things. So the best thing you can do is treat the prospect of a bad software update as you would any disaster. Back up your data regularly. Store your backups in a secure location. And learn how to get up and running again should your technology ever come crashing down. Our Disaster Planning and Recovery Guide provides the information you need to get started.
