Neglected software updates put Kiwi SMEs at cyber threat risk
Patch management overlooked
Small and medium enterprises (SMEs) often deprioritise software patching, with daily operational demands pushing updates down the to-do list. According to Mark Gorrie, Managing Director APAC for Gen Digital, this delay creates serious security gaps, especially in third-party applications such as business apps, browsers, conferencing tools, and document readers.
Gorrie explains, "Neglecting software updates is leaving the doors of small and medium businesses wide open. Operating systems tend to be patched regularly, but it's everyday third-party apps like business applications, browsers, conferencing tools, and document readers that pose the bigger risk. The majority of vulnerabilities, 86%, come from applications (National Vulnerability Database). Each delay in patching increases the risk of ransomware attacks, stolen data, costly recovery efforts, or even falling short of compliance requirements – and local SMBs are exposed."
Research by the Ponemon Institute shows that 57% of data breaches are linked to inadequate patch management. The consequences for SMEs can include financial loss, legal penalties, and reputational damage.
Examples of breaches
Recent incidents underscore the threat. High-profile breaches involving Microsoft SharePoint have been reported worldwide. In New Zealand, the Mediaworks organisation lost control of its competition database due to a third-party platform vulnerability, and the Reserve Bank of New Zealand was compromised via a flaw in a file sharing service. Ticketmaster attributed loss of customer details to a breach in a customer support application. Gorrie notes that while such cases often involve larger organisations, small businesses face similar risks from outdated software and unpatched systems.
Gorrie says, "The recent Microsoft SharePoint breaches are a clear example. In New Zealand the Mediaworks lost control of its competition database due to a third-party platform and the Reserve Bank of New Zealand was breached thanks to a flaw in a file sharing service. Ticketmaster lost control of customer details and attributed the break to a customer support application, and the list goes on. These are the medium and large organisations that make the news, but the same vulnerabilities, even if not seen in print, are faced by small businesses too – outdated software, unpatched systems, and gaps in oversight. According to Ponemon Institute research, 57% of data breaches stem from poor patch management."
Challenges for small businesses
Many SMEs lack dedicated IT staff, so managing software updates is often a manual, time-intensive process. This situation means patches for third-party software can be delayed or overlooked entirely, sometimes until a problem occurs.
Gorrie writes, "For many, software patching often sits on the 'someday' list. It's considered important, and since there's no dedicated IT employee, it's constantly pushed aside by more urgent tasks. It's easy to see why, patching is time-consuming, prone to disruption, and often overlooked until something goes wrong. But what's often underestimated is the real risk of putting it off."
Automated solutions
To address these risks and challenges, Gorrie highlights the role of automated patch management. He says that solutions can help SMEs by taking the manual work out of the process, reducing disruption to daily business operations and ensuring timely application of patches across devices and software. "With Avast Business Patch Management, you don't have to worry about tracking patches across multiple applications or deploying updates during peak business hours. The platform scans for vulnerabilities, tests patches, and automatically rolls them out, all from a central cloud-based dashboard."
The approach, Gorrie contends, helps businesses by providing real-time visibility and control over their patch status. Automated systems can check for missing updates every 24 hours, efficiently distribute them across a network, and minimise network impact by scheduling deployments at convenient times.
He elaborates, "Businesses can expect time back because patch management removes the time-consuming burden patches cause. You can set flexible deployment schedules or let the system take care of it automatically with minimal network impact. That means less time checking for updates and fewer disruptions to daily operations."
Reducing risks and aiding compliance
Managing software updates proactively can reduce exposure to cyber threats, such as ransomware and data theft, and support compliance with industry and data protection standards.
Gorrie notes, "Smart businesses understand that the technology reduces risk. By closing known vulnerabilities quickly, you reduce the likelihood of ransomware attacks, data theft, or software issues. The system supports thousands of patches, including widely used apps like Adobe Reader, Java, and Zoom, so you're not just relying on Windows updates to keep your systems safe."
Compliance is another benefit identified by Gorrie. "Owners know compliance is critical. Whether it's meeting internal standards or aligning with industry or customer requirements, staying on top of patching helps you demonstrate that your business takes data protection seriously. The platform's built-in reporting tools make it easy to track and show compliance progress too."
Control and flexibility for SMEs
Automated patch management solutions, according to Gorrie, can be managed from a central dashboard, even allowing updates to be deployed to devices that are remote or not currently online. In the event of issues caused by a patch, the system allows businesses to roll back changes without needing IT intervention.
He states, "Patch Management means you don't need an IT qualification to gain control and visibility. Everything runs through one dashboard, and you can patch devices even if they're remote, asleep, or behind a firewall. And that's a big advantage for hybrid teams or those with multiple sites. If a patch causes a problem, you can roll it back without waiting for an IT technician to step in."
Patching as part of security
Gorrie describes patch management as an essential aspect of broader security strategies, offering an opportunity to enhance cyber resilience without significant resource investment.
He concludes, "Patching doesn't have to be a painful, manual process. With the right tools, it can become a quiet but powerful layer of protection, running in the background while you focus on growing your business. Avast Business Patch Management is about making security easier, not harder, and giving small businesses the tools to stay safe without stretching your resources thin."
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
4 days ago
- Techday NZ
Neglected software updates put Kiwi SMEs at cyber threat risk
Neglecting software updates is exposing small businesses in New Zealand to increased risk of cyberattacks and data breaches. Patch management overlooked Small and medium enterprises (SMEs) often deprioritise software patching, with daily operational demands pushing updates down the to-do list. According to Mark Gorrie, Managing Director APAC for Gen Digital, this delay creates serious security gaps, especially in third-party applications such as business apps, browsers, conferencing tools, and document readers. Gorrie explains, "Neglecting software updates is leaving the doors of small and medium businesses wide open. Operating systems tend to be patched regularly, but it's everyday third-party apps like business applications, browsers, conferencing tools, and document readers that pose the bigger risk. The majority of vulnerabilities, 86%, come from applications (National Vulnerability Database). Each delay in patching increases the risk of ransomware attacks, stolen data, costly recovery efforts, or even falling short of compliance requirements – and local SMBs are exposed." Research by the Ponemon Institute shows that 57% of data breaches are linked to inadequate patch management. The consequences for SMEs can include financial loss, legal penalties, and reputational damage. Examples of breaches Recent incidents underscore the threat. High-profile breaches involving Microsoft SharePoint have been reported worldwide. In New Zealand, the Mediaworks organisation lost control of its competition database due to a third-party platform vulnerability, and the Reserve Bank of New Zealand was compromised via a flaw in a file sharing service. Ticketmaster attributed loss of customer details to a breach in a customer support application. Gorrie notes that while such cases often involve larger organisations, small businesses face similar risks from outdated software and unpatched systems. Gorrie says, "The recent Microsoft SharePoint breaches are a clear example. In New Zealand the Mediaworks lost control of its competition database due to a third-party platform and the Reserve Bank of New Zealand was breached thanks to a flaw in a file sharing service. Ticketmaster lost control of customer details and attributed the break to a customer support application, and the list goes on. These are the medium and large organisations that make the news, but the same vulnerabilities, even if not seen in print, are faced by small businesses too – outdated software, unpatched systems, and gaps in oversight. According to Ponemon Institute research, 57% of data breaches stem from poor patch management." Challenges for small businesses Many SMEs lack dedicated IT staff, so managing software updates is often a manual, time-intensive process. This situation means patches for third-party software can be delayed or overlooked entirely, sometimes until a problem occurs. Gorrie writes, "For many, software patching often sits on the 'someday' list. It's considered important, and since there's no dedicated IT employee, it's constantly pushed aside by more urgent tasks. It's easy to see why, patching is time-consuming, prone to disruption, and often overlooked until something goes wrong. But what's often underestimated is the real risk of putting it off." Automated solutions To address these risks and challenges, Gorrie highlights the role of automated patch management. He says that solutions can help SMEs by taking the manual work out of the process, reducing disruption to daily business operations and ensuring timely application of patches across devices and software. "With Avast Business Patch Management, you don't have to worry about tracking patches across multiple applications or deploying updates during peak business hours. The platform scans for vulnerabilities, tests patches, and automatically rolls them out, all from a central cloud-based dashboard." The approach, Gorrie contends, helps businesses by providing real-time visibility and control over their patch status. Automated systems can check for missing updates every 24 hours, efficiently distribute them across a network, and minimise network impact by scheduling deployments at convenient times. He elaborates, "Businesses can expect time back because patch management removes the time-consuming burden patches cause. You can set flexible deployment schedules or let the system take care of it automatically with minimal network impact. That means less time checking for updates and fewer disruptions to daily operations." Reducing risks and aiding compliance Managing software updates proactively can reduce exposure to cyber threats, such as ransomware and data theft, and support compliance with industry and data protection standards. Gorrie notes, "Smart businesses understand that the technology reduces risk. By closing known vulnerabilities quickly, you reduce the likelihood of ransomware attacks, data theft, or software issues. The system supports thousands of patches, including widely used apps like Adobe Reader, Java, and Zoom, so you're not just relying on Windows updates to keep your systems safe." Compliance is another benefit identified by Gorrie. "Owners know compliance is critical. Whether it's meeting internal standards or aligning with industry or customer requirements, staying on top of patching helps you demonstrate that your business takes data protection seriously. The platform's built-in reporting tools make it easy to track and show compliance progress too." Control and flexibility for SMEs Automated patch management solutions, according to Gorrie, can be managed from a central dashboard, even allowing updates to be deployed to devices that are remote or not currently online. In the event of issues caused by a patch, the system allows businesses to roll back changes without needing IT intervention. He states, "Patch Management means you don't need an IT qualification to gain control and visibility. Everything runs through one dashboard, and you can patch devices even if they're remote, asleep, or behind a firewall. And that's a big advantage for hybrid teams or those with multiple sites. If a patch causes a problem, you can roll it back without waiting for an IT technician to step in." Patching as part of security Gorrie describes patch management as an essential aspect of broader security strategies, offering an opportunity to enhance cyber resilience without significant resource investment. He concludes, "Patching doesn't have to be a painful, manual process. With the right tools, it can become a quiet but powerful layer of protection, running in the background while you focus on growing your business. Avast Business Patch Management is about making security easier, not harder, and giving small businesses the tools to stay safe without stretching your resources thin."
Techday NZ
5 days ago
- Techday NZ
Fortinet upgrades FortiRecon to boost proactive cyber defences
Fortinet has introduced substantial enhancements to its FortiRecon platform, aligning it more closely with the continuous threat exposure management (CTEM) framework to bolster organisations' abilities to address evolving cybersecurity risks. The new release incorporates expanded internal attack surface monitoring, adversary-centric dark web intelligence, and security orchestration into a unified system intended to help security teams proactively identify and prioritise exposures, validate risks, and speed up response times. These features are designed to reduce the chances and impact of security breaches by mirroring an attacker's viewpoint in security assessment and response. Attack surfaces and risk prioritisation Organisations are increasingly seeking strategies that address their growing attack surfaces, rising alert volumes, and the fragmentation of security operations. According to Gartner, "By 2026, organisations prioritising their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach." FortiRecon's latest update integrates with the Fortinet artificial intelligence-driven security operations centre (SOC) platform and aims to cover all five pillars of the Gartner CTEM framework: scoping, discovery, prioritisation, validation, and mobilisation. This integration is designed to facilitate coordinated remediation between IT and security teams by centralising security operations. Nirav Shah, Senior Vice President, Products and Solutions at Fortinet, commented on the challenges facing security professionals: "Chief information security officers and security teams are overwhelmed by growing attack surfaces and an endless stream of unprioritised alerts. With the latest enhancements to FortiRecon, we're giving organisations an attacker's eye view of their internal and external exposures, backed by artificial intelligence-powered threat intelligence from FortiGuard Labs, real-world validation, and automated response. This allows organisations to cut through the noise, focus on what matters most, and measurably reduce risks and vulnerabilities before attackers can exploit them." Expanded capabilities The platform's enhancements consist of several core areas: Attack surface management: FortiRecon now provides continuous monitoring and an adversary's perspective of both internal and external digital attack surfaces. New features include National Vulnerability Database severity ratings and FortiRecon Active Exploitation severity ratings to optimise patch management processes. Adversary-centric intelligence: The updated platform offers actionable threat intelligence from sources such as dark web activity, ransomware trends, leaked credentials, exploited vulnerabilities, and data on at-risk vendors. Enhancements enable bulk downloads of indicators of compromise and provide stealer infection details to support security operations centres in accelerating breach detection and incident response. Brand protection: The platform continues to monitor for threats such as domain imitation, rogue mobile applications, phishing campaigns, and executive targeting, employing proprietary detection algorithms to identify and assist in remediating those threats, as well as monitoring public code repositories and open data exposures. Security orchestration: The addition of automated playbooks for threat investigation and response streamlines remediation workflows and reduces the time required for responding to incidents. Flexible deployment and recognition Existing customers using FortiFlex are able to deploy FortiRecon Cloud via their credits under a usage-based licensing arrangement. FortiFlex supports a wide customer base, including those managing hybrid and multi-cloud environments, as well as managed security service providers. Purchases via major cloud marketplaces can also contribute towards fulfilling cloud committed spend obligations. The operational effectiveness of FortiRecon has been noted in the KuppingerCole Leadership Compass for Attack Surface Management 2025 report, where Fortinet is named as an Overall Leader, Market Leader, and Innovation Leader. The report highlights FortiRecon's capabilities within environments governed by Centre for Internet Security controls, industrial control systems, Internet of Things devices, and operational technology. Integration with the broader portfolio of Fortinet Security Fabric, such as FortiGate NGFW, FortiSOAR, FortiSIEM, and FortiDAST, was also recognised. These enhancements mark the next stage in Fortinet's efforts to assist organisations in managing continuous threat exposure and streamlining their security operations through a centralised and coordinated platform.
Otago Daily Times
07-08-2025
- Otago Daily Times
Real-time info likely the best info
Real-time data can lead to better decisions, Dennis Wesselbaum writes. In late July, New Zealand was — slowly — receiving economic data from the June quarter. Inflation had hit a 12-month high, for example, confirming what many already suspected. But the country was still nearly two months away from getting figures on economic activity – namely, gross domestic product (GDP). Official statistics such as GDP and inflation have long been delayed, offering a picture of how the economy was, rather than how it is. Stats NZ, for instance, released GDP data for the December 2024 quarter in March 2025, a lag of around three months. As a result, economic decisions and public debate are often based on out-of-date information. One example from last year illustrates how such delays can distort policy. In August 2024, the Reserve Bank of New Zealand cut interest rates a year earlier than markets had expected, despite considering further hikes just months before. With no monthly inflation or GDP data, the Reserve Bank had to rely on private-sector indicators while waiting for official figures, which later confirmed that inflation was indeed easing. This is where "nowcasts" prove useful. Launched in April, the Reserve Bank's "nowcasting" tool — Kiwi-GDP — publishes weekly estimates of economic activity. Using advanced statistical models to estimate current GDP growth, it aims to bridge the gap between real-time developments and the lagging arrival of official statistics. As of mid-July 2025, Kiwi-GDP suggests there may be a decline in economic activity. The model estimated negative GDP growth, figures from July 18 indicating a decline of 0.29%. This marks a sharp reversal from earlier estimates of around 0.8%, and even from late June, when the model still pointed to modest positive growth. The downward revision appears to be driven primarily by weakness in retail and consumption data, as well as survey-based indicators. These early signals suggest that economic momentum may be fading, even before the release of official GDP data for the June quarter. While the tool offers insight, it is not without pitfalls. Politicians and economists must be cautious in interpreting its weekly updates. Tools such as Kiwi-GDP allow policymakers and analysts to synthesise multiple data sources and form an informed view of current conditions. But not all indicators are equal. Some are timely; others are noisy or unreliable. A good "nowcast" weighs data based on its quality and predictive value. The shift in outlook for the New Zealand economy illustrates both the strength and the limitation of these tools: it reacts quickly to new information, but is also prone to significant revision. This volatility poses challenges for policymakers. When monetary policy decisions were made in May, the prevailing "nowcast" pointed to 0.5% growth for the June quarter. If that projection influenced decision-making, the resulting policy would be misaligned with economic reality. Although "nowcasting" improves real-time analysis, its very responsiveness exposes central banks to risk. There are other New Zealand specific concerns. Kiwi-GDP relies on a single model, which comes with inherent limitations. Even in stable conditions, the actual economic process is likely more complex than any model — however flexible — can capture. As the economy evolves, the best models shift with it. These shifts are difficult to detect from past performance alone. Relying on one model increases the risk of blind spots and instability. A better approach would combine forecasts from multiple models. This reduces the impact of individual assumptions and helps smooth out measurement errors. Another drawback is that Kiwi-GDP produces point estimates — a single number for GDP growth — rather than a range of possible outcomes. This assumes the cost of forecast errors are equally likely to be positive or negative, when in fact they are not. Overestimating growth could lead to premature rate hikes and an unnecessary slowdown; underestimating it might result in overly loose policy and rising inflation. For policymakers, the consequences of being wrong vary depending on the direction of the error. To improve decision-making, Kiwi-GDP should make uncertainty more explicit. Presenting a range of outcomes or scenarios would help ensure that risks are properly accounted for. Without such transparency, there is a danger that decisions are made with a false sense of confidence. "Nowcasting" helps bridge the gap between decision-making deadlines and the delayed publication of official data. By leveraging real-time indicators, it offers a clearer picture of where the economy stands. Forecasting the future remains important – but understanding the present is just as crucial. Without an accurate sense of the current state of the economy, informed policy making becomes much harder. — ■ Dennis Wesselbaum is an associate professor, department of economics, University of Otago.
