SKIPPED SECURITY UPDATE
"We’ll update everything later… if it ever becomes urgent."
COMPANY
Sector: Retail/Food
Size: 20 employees
Location: Wallonia
FACTS & FIGURES
20 out of 20 users were affected
Protection efforts: None
Business impact: Payment processing was halted for two business days.
STORY
A bakery chain in Wallonia had a fleet of point-of-sale (POS) tablets. Everything worked fine, until one morning, all systems froze. No transactions, no payments. An investigation revealed that a known vulnerability had been exploited on one of the tablets—because not a single update had been installed in months.
INCIDENT OVERVIEW
None of us likes our devices to be interrupted, even if those interruptions are for their own good and the good of the (digital) world we live in. This attitude presumably explains why the manager of a local bakery chain had been putting off the updates for their point-of-sale tablets indefinitely.
The good news: she was clearly trying to keep the tablets secure.
The bad news: in our vulnerable digital world, updates are a necessary evil at best and a cure for a cashless apocalypse at worst. It appears this bakery chain got the second kind of update crash course.
BUSINESS IMPACT
Payment processing became impossible, resulting in lost revenue and diminished customer trust.
Costs incurred to restore IT systems.
Failure to comply with GDPR due to customer information being exposed.
SECURITY MEASURES
Below, you’ll find some advice to mitigate risks and enforce secure configurations:
Enable automatic updates for all supported systems.
Designate one person to be responsible for monthly patch management reviews. This includes checking the types of patches released by vendors, identifying affected systems, and assessing the risks of delayed updates.
Use asset management tools to monitor update status and recency.
Restrict software installations to reliable, well-managed applications.
RESOURCES
