What you need to know about device drivers and IT security
The 2017 WannaCry attack provided a case study in the importance of keeping operating systems updated and many companies (large and small) found themselves hastily updating their updates policy in the light of this event.
While it is, clearly, necessary to keep operating systems updated, it is not; in and of itself, sufficient to keep your network safe (and your computers running efficiently), you also need to update your software and your device drivers.
The importance of drivers
In the early days of IT, those little pieces of software which control the interaction between external devices and the core PC could leave IT professionals tearing their hair out in frustration, but over the years “plug and pray”, really has (largely) become “plug and play”.
This is a benefit in all kinds of ways and no sane person would ever want to go back to the bad old days, but it may also be somewhat of a double-edged sword in that the invisibility of modern-day drivers can make it (only too) easy to forget about them – until there is a problem.
The reality of modern drivers
When you first purchase a device, it should always come with a working driver. You can still get the odd bug in even mainstream drivers but, to be fair, these now tend to be the exception rather than the rule.
As long as your device remains part of the manufacturer’s core offering, you can have a very high expectation of the associated driver being regularly updated. Sometimes this is to improve performance, both in the sense of fixing small issues and in the sense of improving functionality, but sometimes this is to improve security, essentially to fill in any small cracks that an attacker could exploit to gain access to your network.
If, however, your device reaches a point at which its manufacturer considers it obsolete then, eventually, the updates will cease and essentially the level of security if offers will remain static while security threats continue to develop and advance.
In other words, it is very likely to become a liability. The danger is that companies without a proactive driver-management strategy will fail to notice the absence of updates until they find out the hard way.
Updating to newer versions of hardware, or actively looking for newer drivers when they are no longer automatically updated – by Microsoft or whoever provides them – can help you to maintain your company’s online security. In an attempt to encourage companies to up their IT-security game, the UK government has been reaching out to industry with its Cyber Essentials scheme.
Complying with the Cyber Essentials scheme
The Cyber Essentials Scheme is a government scheme to encourage companies of all sizes (but particularly small ones) to appreciate the importance of maintaining a basic level of IT security.
The scheme covers five areas, which are: Secure Configuration, Boundary Firewalls and Internet Gateways, Access Control and Administrative Privilege Management, Patch Management and Malware Protection.
The motivations for participating in this scheme are a badge to demonstrate your competence and the possibility of lower insurance premiums. It is also mandatory for companies that want to bid on government contracts involving certain sensitive and personal information.
Even if you do not bid for such contracts now (or foresee yourself doing so in the future) complying with the Cyber Essentials scheme can also help keep you on the right side of GDPR, which is very much mandatory for everyone.
Keeping on top of your device drivers is an essential part of your cyber security and contributes to your Cyber Essentials compliance. Retaining a close eye on older tech, considering investing in new hardware when old drivers are no longer maintained, can help you to comply with the scheme and receive the associated benefits.
What should be done
Rather than letting themselves be a soft target for cyber criminals, third-sector organisations have an obligation to protect the data of their supporters, partners and service users, and to keep financial details safe from prying eyes and sticky fingers.
Many of these organisations would benefit from specialist training so that they fully understand the issue. They may think they are too small to be targeted, but attackers do not necessarily agree, and protection must be in place if organisations are to remain secure. Recruiting a third-party organisation that specialises in cyber security is an effective measure, when specialist knowledge and skills are required.