Skip to main content

The Update Obsession: Are We Really Opening the Front Door to Cybercriminals?

·1075 words·6 mins· loading · loading ·
Ronny Roethof
Author
Ronny Roethof
A security-minded sysadmin who fights corporate BS with open source weapons and sarcasm
Table of Contents

Okay, let’s talk about updates. Specifically, the relentless, fear-mongering narrative that if you dare to postpone an update, you’re basically rolling out the red carpet for cybercriminals. I recently stumbled upon a Dutch text (from the Digital Trust Center, no less!) that perfectly encapsulates this sentiment: “By postponing your updates, you’re opening the front door for cybercriminals.” Really? Is it that black and white?

While I agree that patching vulnerabilities is crucial, this kind of oversimplified, alarmist messaging does a disservice to the complexity of the issue. It’s like saying, “If you don’t lock your door immediately after entering your house, you’re inviting burglars in.” Sure, locking your door is a good idea, but there’s a whole spectrum of security measures, and life isn’t always about immediate reactions.

The Patching Paradox: When Updates Go Wrong
#

Here’s the thing: updates aren’t always sunshine and rainbows. Yes, they often contain vital security fixes, but they can also introduce a whole host of problems. We’re not talking about theoretical risks here; we’re talking about real-world incidents that have impacted countless users, businesses, and even critical infrastructure.

Recent Update Fails: A Pattern of Problems
#

Consider these recent examples:

  • Windows 11 BSOD Bonanza: Lately, Windows 11 updates have been notorious for causing Blue Screens of Death (BSODs). Users have reported system crashes, data loss, and hours of troubleshooting, all thanks to updates that were supposed to make their systems more secure and stable.
  • July 2024: CrowdStrike Falcon Sensor Update Issues: Even security software isn’t immune to update failures. In July 2024, a CrowdStrike Falcon Sensor update caused significant disruptions for many users, highlighting the risks of blindly trusting even trusted security vendors’ automatic updates.
  • March 2024: McDonald’s Point-of-Sale System Failure: A major update to McDonald’s point-of-sale (POS) systems in March 2024 resulted in widespread outages, impacting numerous restaurants and causing significant financial losses. This wasn’t an isolated incident, as similar POS issues were reported around the same time.
  • March 2024: Other Point-of-Sale System Failures: Following the McDonald’s incident, multiple other businesses experienced similar POS system failures due to updates, showing a pattern of update-related disruptions in this critical area.
  • February 2025: Denon DRA-800H Firmware Update: It’s not just enterprise systems that are affected. A firmware update for the Denon DRA-800H audio receiver in February 2025 caused problems for many users, demonstrating that even consumer devices are susceptible to update-related issues.

These aren’t isolated incidents. They’re part of a larger pattern of updates causing more harm than good.

Beyond the Headlines: Other Update Pitfalls
#

Beyond these high-profile examples, updates can also introduce:

  • New Bugs: How many times have we seen updates that break existing functionality or create new vulnerabilities? It’s a common occurrence, and rushing to update can sometimes be more dangerous than waiting.
  • Compatibility Issues: Especially in complex environments, updates can clash with other software or hardware, leading to downtime and frustration. This is a real concern for sysadmins and IT professionals.
  • Forced Changes: Updates can change the way software works, disrupting workflows and requiring users to relearn processes. This can be incredibly disruptive, especially in professional settings.
  • Usability issues: Sometimes updates make the software less usable.

The Human Factor: We’re Not Robots
#

The “update immediately or face doom” narrative also ignores the human factor. We’re not robots. We have lives, deadlines, and limited time. Demanding that everyone drop everything to install every update the moment it’s released is unrealistic and, frankly, a recipe for burnout.

Furthermore, this kind of messaging can lead to:

  • Update Fatigue: When users are constantly bombarded with update notifications, they start to ignore them, even the important ones.
  • Blind Trust: People may blindly install updates without considering the potential risks, simply because they’ve been told it’s the “safe” thing to do.
  • Ignoring other security measures: People might think that updating is the only thing they need to do to be secure.

A More Balanced Approach: The Case for a Delay
#

Instead of fear-mongering, let’s advocate for a more balanced approach to updates, one that acknowledges the potential risks and benefits. A key part of this approach is implementing a delay policy for most updates.

Why Wait?
#

  • Let Others Be the Guinea Pigs: By waiting 24 hours, a week, or even longer (depending on the update’s nature), you allow others to encounter and report any issues. This gives you valuable information before you potentially disrupt your own systems.
  • Assess the Impact: A delay gives you time to research the update, read reports from other users, and determine if it’s truly necessary or if it’s likely to cause problems.
  • Plan for Downtime: If an update does require downtime, a delay allows you to schedule it for a time that’s least disruptive.
  • Avoid the rush: By not updating immediately you avoid the rush and the potential problems that come with it.

When to Update Immediately
#

Of course, there are exceptions. High-security patches that address critical vulnerabilities should be applied as soon as possible. These are the updates that genuinely protect you from immediate threats. However, even in these cases, it’s worth checking for any known issues before deploying them widely.

A Practical Policy
#

  1. Risk Assessment: Understand the risks associated with not updating, but also the risks associated with updating too quickly.
  2. Testing: In professional environments, test updates in a staging environment before deploying them to production.
  3. Prioritization: Focus on critical security updates first, and be more cautious with feature updates.
  4. User Education: Educate users about the importance of updates, but also about the potential risks and how to make informed decisions.
  5. Automation with Control: Automate updates where possible, but allow for some level of control and deferral. Implement a policy of delaying updates by at least 24 hours, or up to a week, unless it’s a high-security patch.
  6. Layered Security: Updates are just one part of a comprehensive security strategy. Strong passwords, multi-factor authentication, firewalls, and user awareness are equally important.

The Bottom Line
#

Yes, updates are important. But they’re not the be-all and end-all of security. Let’s move away from the simplistic “update or die” mentality and embrace a more nuanced, risk-aware approach. Let’s empower users to make informed decisions, rather than scaring them into blind compliance. And let’s acknowledge that sometimes, waiting a bit before updating is the smart thing to do.

What are your thoughts on this? Are you an immediate updater, or do you prefer to wait and see? Let me know in the comments!

Related

The Paradox of Excessive Security Measures: When Does 'Safer' Become 'Overkill'?
·684 words·4 mins· loading · loading
My Personal Take: Company Laptops - Security Ain't Everything (But It's Still My Job, Damn IT)
·1207 words·6 mins· loading · loading
The Sleep-Deprived Sysadmin: A Personal Journey Through Burnout and Recovery
·1295 words·7 mins· loading · loading