LatAm Companies Must Eliminate the Use of Obsolete Software

The increase in ransomware attacks in 2022 is a topic that has captured newspaper headlines around the world. Still, little is said about a practice that makes companies and institutions in Latin America especially vulnerable to this kind of threat: the use of obsolete software. A recent Kaspersky report shows the extent of this problem, revealing that 47 percent of Latin American companies use some type of outdated technology in their IT infrastructure.

Yes, it's annoying to receive a message in the middle of the working day asking us to restart our computer for an update installation that takes several minutes. In fact, Kaspersky’s figures reveal that 48 percent of Latin American employees consider computer updates to be a "routine and boring" task and, therefore, tend to postpone them.

According to our report, there are several reasons why employees choose to delay software updates: 32 percent say it is because they are busy at work; 24 percent because they do not want to stop using their device at the time they receive the update notification, and 22 percent argue that they do not want to close the application they are using. Perhaps the most revealing fact is that 68 percent of Latin Americans do not see any harm in postponing updates on their computers, a belief that could not be further from reality.

Updates are designed to not only enhance but also secure a device. However, some companies may not realize how serious delaying updates can be. Kaspersky's report, "How Businesses Can Minimize the Cost of a Security Breach," reveals that the practice of using outdated software puts companies at risk of suffering more financial damage in the event of a security breach — 51 percent more for SMBs and 77 percent more for enterprises — compared to those that upgrade on time.

Although vulnerabilities are inevitable in any software, implementing updates and patches on a regular basis can minimize risks. For this reason, users are always recommended to install the latest software versions as soon as they become available, even if updates are sometimes complicated or time-consuming.

Installing all security updates on time is an essential principle of cybersecurity hygiene, in addition to using an anti-malware solution. This practice must become routine: if there is a patch, it should be installed without delay or protest. It should become an internal rule for IT administrators and for the entire staff in every company.

In addition, if a vulnerability occurs, but a patch is not yet available, as in the case of zero-day vulnerabilities, the IT department should read the vendor's recommendations and implement workarounds (hardening or disabling protocols or services, for example). This should also be done immediately.

It is important to note that when a supplier offers a patch, it means that the vulnerability has existed for some time and that attackers probably found out about it before the supplier did. Therefore, when a patch is issued, organizations need to understand that the vulnerability may have already been exploited. In highly organized targeted attacks, APT agents do not attack known and popular vulnerabilities but rather exploit new tools. Consequently, while timely updates are essential, another necessity for every company is to have a large-scale protection system that is capable of detecting advanced attacks, even through hidden and disparate signals.

Shadow IT, which is the use of services or technology platforms that do not have the authorization of the IT department, is another reason for companies to keep their systems up to date, as this will help them close security breaches, especially in those applications that employees install without the organization's knowledge.

Companies and institutions in Latin America must eliminate the use of obsolete software and create a culture of updating and patching that is familiar and common to all employees. Failing to do so is like having the company’s cybersecurity likened to a steel chain held together by a nylon link, making it easier for cybercriminals to access the company’s network.