Beyond Training - You Can't Stop There.
We've talked a lot about training lately because it is the single best tool you have to keep your network secure. However, it's not bulletproof.
Two weeks ago Microsoft issued patches for over 85 security weaknesses across all of their Windows operating systems, including patches to close known zero-day vulnerabilities. As you know, zero-day vulnerabilities are flaws that are already being exploited before patches are released. In a perfect world, the "good guys" find vulnerabilities and notify the vendor of the issue before they are discovered in the wild, giving the vendor a chance to patch it before it becomes an exploited vulnerability. Another way to think about a zero-day vulnerability is a hole that all of your training isn't going to save you from.
Beyond your training and testing is your network configuration, specifically, how your updates are being managed, or not. Many of us have come to assume that software automatically, and magically, updates itself periodically as needed. The reality is not all software is capable of self-updating, and even Windows needs prodding now and then. A perfect example is Google Chrome. While Chrome does update itself, we're frequently notified with urgent alerts to manually update Chrome to ensure the newest patch is applied as soon as possible. How often do you do this? Windows is the same way. Sure, you can wait for updates, but being more proactive can help you reduce your risk of attack from a newly patched zero-day vulnerability that hasn't been picked up by your device yet.
If only the problem were that simple. For a variety of legitimate reasons, many IT folks disable automatic updates. One specific reason is to prevent an update from interfering with other applications, like your EHR program, for example. Sadly, and we see this more often than you can imagine, patches don't get applied for weeks or months later. That leaves you wide open to known attacks during those time periods.
From purely a cybersecurity perspective, our preference would be to configure your networks to receive all software updates upon release and availability. If an update hinders a particular application, we would then roll back that update and reach out to the software vendor to inquire about a remedy to the situation. This approach requires more effort from your IT team, but it's far more secure. We encourage you to ask your IT team if all updates are applied automatically, and if not, ask them to change it.