Why's it so hard to make employees update their software?

Egress | 24th Oct 2022

Updating software was one of the key behaviors promoted during last month’s Cybersecurity Awareness Month (CAM), a collaborative effort between government and industry to promote safety and security online.   

To help people keep their information secure online, the National Cybersecurity Alliance advises that people update their software often. Their advice also includes only downloading updates from the company that created the software, making updates automatic, and watching out for fake websites that ask them to install updates.  

Software updates are a security headache  

While the advice offered during CAM is a good start, it’s an oversimplification of a complex issue. In particular, this advice ignores the fact that, despite being prompted, many employees are still failing to update their software often.  

For security teams, realizing that employees are failing to take these very small steps to avoid what could quickly turn into a huge catastrophe can feel very frustrating, even in small organizations.  

In large enterprises with many people – including outside contractors – connecting to corporate networks, including those using their own BYOD devices at work, this problem is magnified. The result is many endpoints with a lot of potential vulnerabilities that leave your organization open for attackers to exploit.  

Why don't employees update their software? 

There are many reasons employees don't update their software – most of them simple.  

First and foremost, many employees simply do not understand the importance of software updates and consider them optional. From their perspective, the benefits of installing a software update simply do not outweigh the lost productivity. When they are deep in the middle of work with a deadline quickly approaching, and a notification pops up asking if they'd like to restart their computer right now, it's too easy to postpone the update until later and then forget about it.  

Too many of these notifications can also lead to notification fatigue. That could lead to employees putting off these updates indefinitely or even turning off the notifications altogether.  

Other employees are simply misinformed and wrongly think they can update the software by shutting down their computer instead of restarting it. This can give them a false sense of security that their software is up to date, leaving their system vulnerable to exploits.  

How can we get employees to update their software correctly? 

One way to ensure employees update their software regularly is to force reboots. However, this fails to address the root of the problem and can create tension between security teams and the rest of the business. It’s ultimately more effective to get people on board by educating them on why software updates matter. 

"If you're finding it hard to get people to update their software in a timely manner, it might be a case of helping them to understand how this simple task protects everyone in an organization," says Joe Chatterton, Head of Cybersecurity Operations at Egress. 

While the importance of patching might seem obvious to security teams, it’s probably not obvious to your employees. Most people have never been taught why software updates matter. It's hardly surprising that people still aren't updating their software if they don't understand why they need to.  

Chatterton explains, "You need to get people on board, otherwise you end up with forced reboots. In the ever-evolving cybersecurity threat landscape, it's imperative that tasks such as operating system patching, software updates, and maintaining end-of-life product life cycles take place." 

Help employees understand the importance of software updates 

It’s important to communicate with employees that the main reason they need to update their software regularly is to add new features and remove these known security risks that cybercriminals will exploit.  

Risks regularly get logged as Common Vulnerabilities and Exposures (CVEs), a list of publicly disclosed computer security flaws. Each year, the number of CVEs gets exponentially bigger. In 2012, there were a total of 5,288 known CVEs. So far, in 2022, there are over 20,250 known vulnerabilities.  

Employees should be educated to understand that these security flaws get dealt with in patches installed during software updates. Every day they wait to update their software and download these patches increases the chances that these vulnerabilities will be exploited. "Your organization is only as strong as its weakest link (or links) – even a small group of people failing to update leaves you vulnerable," explains Chatterton.  

Creating a strong culture of cybersecurity awareness helps your employees to understand why software updates are so important and how their individual actions can have a larger impact on the security of the rest of the organization. Chatterton adds, "If you can create a culture of security, you can reduce the risk factor substantially for small things which can often catch organizations out." 

Patching is a vital security behavior – here are 17 more things you can do this week to boost your organization’s cybersecurity.