Is the humble software update the unsung hero of modern enterprise security? It certainly doesn’t get the attention it deserves.
By Valencia Karageorgiades, Technology Architect at SAP Africa
Modern security teams are consumed with identity and access management, device management, ransomware threats, phishing attacks, awareness training, privacy and compliance.
Due to a pervasive cybersecurity skills shortage, these teams are often stretched thin. In fact, ‘cybersecurity skills’ were the most in-demand among African organisations in SAP’s latest Africa’s AI Skills Readiness Revealed report, with 86% of companies citing demand.
Organisations know they should keep systems up to date. But all too often, updates are postponed in favour of more immediate priorities, leading to potentially costly delays.
Very costly. A Harvard Business School publication notes that the devastating cyberattacks on the UK’s National Health Service and credit bureau Equifax could have been avoided if organisations had updated their software sooner.
‘Outdated’ explained
Outdated software – referring to applications, platforms or operating systems that have not received critical updates or patches despite newer versions being available – is one of the most persistent and preventable security risks for modern enterprises.
Outdated software also includes software that has reached end-of-life, meaning it is no longer supported by the vendor through security patches and bug fixes. For example, a surprisingly large number of well-known companies still use outdated operating systems, despite those operating systems no longer being supported by the vendors.
Businesses often run these older versions of software out of habit, or due to perceived cost savings. Others fear the disruption of change and hope to avoid costly downtime and change management. But these savings are superficial – the cost of a breach will always outweigh the cost of keeping software updated, especially as the average cost of a data breach continues to increase.
Reducing risk
Failing to maintain software updates exposes companies to a range of risks, including:
- Known vulnerabilities go unpatched – Every software product has vulnerabilities, but what matters is how quickly they’re fixed. Software vendors actively monitor and patch these flaws. However, once support ends, so does the protection. Cybercriminals actively target known exploits in unpatched software. Since some of these vulnerabilities are widely documented, they risk being exploited if left unresolved.
- Incompatibility with modern defences – Cybersecurity doesn’t stand still. Encryption methods evolve. Firewalls improve. Detection tools become smarter. Outdated software struggles to integrate with these advancements, weakening your security posture across the board. Companies could be investing in the latest cyber defences, but if their legacy apps can’t support them, they remain exposed to significant risk.
- Standing defenceless against new threats – The threat landscape changes daily. Attackers are constantly developing new techniques, from zero-day exploits to advanced phishing campaigns. Unsupported software doesn’t get the updates needed to recognise or defend against these evolving threats.
- The inevitability of data breaches – Once attackers exploit a vulnerability, this can lead to a total compromise of the entire landscape. Personal data, financial records, and customer information all become potential targets. And in the modern threat landscape, it’s not a matter of if a company will suffer a data breach, but when. When a breach occurs, the consequences can be severe: reputational damage, regulatory fines, legal action, operational downtime and financial losses compound the misery. And these aren’t theoretical risks – they’re playing out in boardrooms across the continent.
Staying secure
Keeping the enterprise secure requires a proactive approach that includes a strong focus on maintaining up-to-date software as well as a layered security strategy. Organisations should take note of the following best practices to secure against unnecessary cyber risk:
- Modernise where it matters – Organisations using end-of-life or unpatched software should transition to supported systems. While upgrades may cause some disruption, the risk of a breach is far greater and harder to control.
- Stay current on patches – Even supported software can be vulnerable if it’s not updated. Organisations must ensure their IT teams have a clear process for applying patches and updates in a timely and controlled manner.
- Conduct regular security audits – It’s unwise to wait for an incident before identifying a security gap. Regular vulnerability assessments can identify outdated systems, missed patches, and other blind spots in the enterprise environment, giving organisations the opportunity to fix them before they’re found by someone else.
Technology isn’t static, and neither are cyber threats. The tools and systems companies rely on must evolve alongside them or they become the weak link in an otherwise strong chain. Outdated software might not grab headlines like a major data breach, but all too often, it’s what causes one.
If cybersecurity is a board-level concern (and it should be), then software maintenance must be a strategic priority. In a world of rising threats, staying up to date isn’t just good practice for African enterprises, it’s a critical defence.