Are lack of tech upgrades really a digital security problem?
Keith Buzzard, Chief Technical Architect with Robin Clive-Matthews, IT Manager and Security Specialist
We recently read an article on lack of tech upgrades contributing to the risk of data breaches. It got us thinking: While we all love the latest and greatest hardware, what’s the real risk?
There was a time when hardware ‘usability’ was defined by the requirement for a modern, secure operating system supported appropriately by vendors. Because all vendors are different, IT departments worked within a fairly short hardware lifecycle (usually around three years) that has since become an industry standard. Arguably, it’s also an expensive one considering the cost of procurement.
But, it’s important to remember that in the last few years, we’ve progressed quite a way in terms of computational power. Moore’s law shows that the rate of computational power increase has significantly slowed down, which reflects a decline in technological advancement in the laptop and desktop technology space. Basically, we have reached a point where hardware no longer ‘conks out’ after three years and vendor support continues for a longer term—these machines still run the basic business applications, such as the office suite, which, for a majority of users, is the main use, and especially as end user devices take less and less of the workload compared to cloud solutions.
From a security point of view, age isn’t a problem; the vendor support is far more important. If the vendor continues to provide patches and updates on a sensible schedule for the device, and no ‘unpatchable’ issues arise, then security of the device has not been compromised.
Of course, there is a possibility of security issues arising as older hardware might not be getting updated drivers (and how would you know if it wasn’t?) and if the hardware is really old and was low-powered at the time of purchase and not upgraded, then you might struggle to run security products on it because they tend to have quite a high overhead.
But, it’s important to remember that for the most part, attackers go after application and OS software vulnerabilities, and most driver upgrades are released to fix stability or performance issues, not security vulnerabilities.
What’s the practical reality?
One of the challenges in working out the security ‘longevity’ of a device is that few vendors are explicit about how long the device will receive support for. Furthermore, different vendors take different approaches to the lifecycle of a device, which can be difficult to understand at the time of purchase. As an example, some android handsets never receive security updates, while the Pixel range is guaranteed security updates for three years from launch (thus, as a security practitioner, we can condone Pixel’s use for up to three years).
Frustratingly, a much cheaper handset may never receive a single security update, meaning that we would struggle to condone its use at all. In fact, use of such a device could raise issues with basic security accreditation—such as a Cyber Essentials Plus—due to its lack of ongoing support.
Many organisations can struggle to track inventory and understand when support windows are due to end, so it often becomes simpler to assume devices will have the traditional three-year support window and to depreciate the cost of the device over this period. However, with careful tracking of support periods, and vigilance from a security point of view, delaying procurement of replacements may be possible. If you can pay a little more for a device and get a longer support period then it may end up with a lower cost of ownership before replacement is required from a security perspective.
What’s the solution?
We’re moving away from the ‘traditional’ lifecycle of hardware. This makes sense in a time where organisations are more fiscally conscious than ever before; moreover, we’re also aware of the toll conventional views on the hardware replacement cycle take on the environment.
As with most things, if you invest in a good quality machine in the first place, it will last you longer. Of course, three-year upgrade cycles are fine if you have money to spend on them, but they’re very expensive not only in terms of buying the kit, but also in wasted time preparing the new hardware for use and swapping staff over onto it. It’s worth remembering that new hardware costs a lot more than old hardware and you may not see the benefit in terms of a signficantly improved fail rate.
Certainly, many of us would love shiny new kit every year, but that’s not a practical desire, it’s more about having something new. To understand whether it’s truly a ‘need’ versus a ‘want’, we recommend you invest some time investigating your current estate and its likely security longevity. You might be surprised…and save some money too.
We believe that cyber security shouldn’t be vastly expensive or complicated. Talk to us about how we can help you get maximum value out of your security budget. Call us on +44 (0) 845 600 4403 or email us via firstname.lastname@example.org