24 January 2018 category: business technology
All computer hardware and operating system vendors are still in the process of fixing the meltdown and spectre flaws.
But what exactly are these flaws and how do they affect your business?
In a nutshell what are the spectre and meltdown flaws?
The meltdown and spectre flaws have arisen because of chip manufacturers attempts to improve the performance of computers.
Given a set of possible instructions, the processor tries to predict which instruction it will be required to process next and performs it before it is asked to.
If it gets it right, then it returns the results quicker than expected. The more it guesses right the bigger the performance boost for the device.
But due to other flaws in firmware and operating system code, malicious code could be deployed to take advantage of this process and steal data.
It could potentially affect every smartphone, tablet, computer and datacentre.
What’s being done about it?
All the big players are racing to deploy short-term and long-term fixes to address these flaws. This involves the hardware manufactures Intel and ARM, Apple and Google; as well as the major operating system vendors such as Microsoft, Google, Apple and Linux.
In the short to medium term this will mean patches will need to be deployed to all computers, laptops, smartphones, and data centres.
In the long term there may need to be hardware upgrades.
OK, so what does it mean for my business?
Obviously, unless you are involved in the industry, you cannot produce the fix to the meltdown and spectre flaws.
But there are 3 things you can do now (or plan to do) to reduce the impact on your business:
Prevention – firewall, antivirus, malware and spam protection
Take this opportunity to ensure that your data and systems are protected as much as possible to prevent malicious code reaching them.
Review your firewall, antivirus, malware and spam protection policy. The 10 Things to consider are:
- Are all security systems and devices documented?
- How often is the effectiveness of these systems reviewed and compared against competitor products?
- Are reports of virus signature updates, threats, infections, and clean status monitored?
- Who are these reports distributed to?
- Are senior management given copies of the reports?
- Is there an escalation policy for suspected data theft (particularly anything involving client data)?
- Are you insured against cyber-attacks?
- Do you allow staff to access systems from their own devices and/or homes? (increasingly common with cloud systems such as Office 365 and Google Docs).
- If so, do you ask for evidence that they have adequate firewalls and security software installed, and that they are updated frequently?
- Could you provide licenses for them to download and install the same security software installed on business devices?
Patching – Keep firmware, operating systems and software up to date
In the wake of the spectre and meltdown flaws it is more important now than ever to make sure that all critical patches are applied to firmware, operating systems and business software, promptly.
Review the policy and check that there are no barriers to installing critical updates with high/severe risk promptly:
- Are operating systems and software updated and applied automatically?
- If so, is there a set time of day, or day of week, that they are applied?
- Is there are a process to escalate critical updates if the risk is severe?
- If operating system and software updates are not applied automatically is this because of some bespoke or legacy application?
- If so, it might be worth exploring upgrading or replacing the application
- If your staff are accessing data and systems on their own devices, have they provided details of the update policy on their own devices?
- Is there a defined policy for updating firmware? (updates without testing to firmware could impact other device drivers and needs careful consideration).
- Is there a policy for staff using their own devices to ensure that critical firmware updates are applied?
Cure – Hardware upgrades or replacement
In the case of spectre and meltdown, it may ultimately be necessary to upgrade processors or replace computer systems to eradicate the threat from the spectre and meltdown flaws.
This can have an impact on your business in a few different ways:
- If you purchase computing devices as a capital cost, then you need to plan and budget for upgrades to your devices.
- If any systems are imminently due to be replaced it may be worth delaying to see if Intel and ARM come up with new designs to eradicate the potential problem.
- It may also be worth considering the benefits of leasing devices. This often allows devices to be upgraded and replaced more regularly.
- Whether you lease or purchase you should allow a contingency fund for price increases above inflation, due to potential increased demand for processors with a new architecture.
- You should also allow a contingency for price increases above inflation to cloud services and software as a service, if major upgrades are needed to datacentre hardware.
It is possible that the problem will be fully addressed via operating system and firmware patches, and that immediate hardware upgrades are not needed.
But it is a good idea to have a contingency plan and budget in place if possible.