An out-of-date app or computer can be a serious cybersecurity concern

Computers and mobile devices with out-of-date security patches and operating systems, as well as software and apps that haven't been updated, are a cybersecurity threat that can have consequences for you and, in some cases, the entire NYU community (more about that here) since many of our devices connect to the NYU network. Skipping an update can mean crucial security patches are not installed, making the computer an attractive target for cybercriminals. It's essential that you keep your computer, phone, tablet, and any apps (such as browsers) you use updated and that, if an update prompts you to restart or close and reopen an app, you do so immediately. Many updates can't be completed without a restart.

But wait, you may think. I have so many apps, and there are so many updates. True, but there are so many updates and patches for a reason. Cyberattacks are frequent and evolving, and unpatched security flaws are one of the most common weaknesses (along with social engineering and phishing) hackers can attack. The good news is that you can set most everything to update automatically—though you still need to pay attention to and respond to prompts to restart.

In this article:


Use Auto-Update and Make Sure to Restart

The simplest way to make sure your computer, apps, phones, and other devices stay up-to-date and patched with the latest security upgrades is to set them to auto-update. How to do this varies depending on what you're using, but here are links to instructions for some of the most common operating systems and apps.

Note: For Linux, please check your preferred support forum or site for steps.

Did We Mention Restarting?

Sometimes automatic isn't as automatic as you want. You may need to manually restart an app, your phone, or your computer for updates to take effect, even if they were automatically downloaded and installed. Don't put off restarting! Sure, it's a little annoying to have to reboot your computer or close a browser full of apps, but it's essential to ensure the update is fully completed. Restarting is much less annoying and a lot less time-consuming than getting hacked and losing your data or identity.

Some apps, particularly browsers, may display an easy-to-miss button that says "Complete Update" once an update has been downloaded but not fully installed.

What Do Updates Get Me?

The trade-off for a few moments of inconvenience while an update installs or because you need to restart after an update is worth the benefits.

Fixing security vulnerabilities
Software, including mobile apps, can contain vulnerabilities that hackers can exploit to gain unauthorized access to your device or personal information. When developers discover these vulnerabilities, they release updates and patches to fix them. By installing these updates promptly, you protect your device and data from potential security breaches.

Staying ahead of emerging exploits
Cybercriminals are always developing new techniques to exploit vulnerabilities. Security patches can eliminate those vulnerabilities. If you don't update, you remain a target for attackers.

Protecting personally identifiable information (PII)
Many apps store sensitive personal information, such as login credentials, financial data, and personal messages. If a security vulnerability allows hackers to access this info, it could lead to identity theft, financial fraud, loss of account access, or other forms of cybercrime. Keeping your apps up to date reduces the risk to your personal data.

Preventing successful ransomware and malware attacks
Malicious software can be designed to steal data, track your online activities, display unwanted advertisements, or even take control of your device. Regularly updating your apps helps protect against these threats by removing potential avenues of attack.

Maintaining app functionality
In some cases, attackers may exploit vulnerabilities to interfere with app functionality or inject malicious code. By updating your apps, you ensure that you're using the latest, most secure versions, reducing the risk of tampering or compromise by hackers.

Potential Consequences of Not Running Updates

It's important to keep every app, piece of software, and operating system updated. Even novel apps like games need to be kept up to date because, when it comes to a cybersecurity attack, any app will do. By staying vigilant, you can minimize the risk of falling victim to malicious activity and protect your device, personal info, and everyone at NYU.

Data theft
Hackers can exploit outdated apps to steal sensitive information stored on your device, such as login credentials, financial data, personal messages, and other confidential data.

Identity theft
By gaining access to personal information through compromised apps, hackers could commit identity theft and use your personal information to open fraudulent accounts, make unauthorized purchases, or engage in other criminal activities under your name.

Financial fraud
Cybercriminals may exploit outdated banking or financial apps to access your accounts, transfer funds, or make unauthorized transactions.

Spying and surveillance
Certain types of malware can turn your device into a spying tool, allowing hackers to monitor your activities, record keystrokes, capture screenshots, access your camera or microphone, and track your location without your knowledge or consent.

Ransomware
Cybercriminals could exploit outdated apps to install ransomware on your device, encrypting your files and demanding payment for their decryption. Ransomware attacks can lead to data loss, financial extortion, and disruption of normal operations. If it happens to a computer or device with access to crucial IT systems, it can impact all of NYU.

Device takeover
In some cases, attackers may exploit outdated apps to gain unauthorized access to your device, allowing them to take control of it remotely, install additional malware, or use it as part of a botnet for launching cyberattacks on other targets.

Distributed denial-of-service (DDoS) attacks
Hackers may compromise outdated apps and use them to participate in DDoS attacks, where multiple compromised devices are coordinated to flood a target server or network with malicious traffic, disrupting its normal operation and causing downtime.

Additional Considerations for NYU Employees and System Administrators

Although everyone should keep their tech updated, NYU employees must be especially responsible, especially if they have access to sensitive data, infrastructure, or equipment. In some cases, keeping your equipment patched isn't just good advice; it's a legal obligation.

NYU IT and school/unit IT teams use tools such as BigFix and Workspace One to install and update security software (Cortex XDR and InsightVM) for NYU-owned computers in use by faculty, researchers, administrators, and staff. This security software allows IT professionals to quickly detect, respond to, and remediate cyber incidents and vulnerabilities. However, even if updates are being delivered automatically, you may need to restart your computer for them to take effect.

System administrators, who often have privileged access to IT systems and data, play a critical role in maintaining cybersecurity. Keeping systems patched is essential. Otherwise, the entire University could be left open for attack. Here are some steps that system administrators can take to enhance cybersecurity.

Regularly update software and systems
Ensure that all software, including operating systems, applications, and firmware, is kept up to date with the latest security patches and updates. Regularly applying patches helps to address known vulnerabilities and protect systems from cyberattacks.

Implement strong access controls
Enforce the principle of least privilege, granting users only the permissions and access they need to perform their job functions. Use access control mechanisms such as role-based access control and enforce strong password policies, multi-factor authentication (MFA), and account lockout policies to prevent unauthorized access.

Monitor system logs
Implement robust logging mechanisms and regularly review system logs for signs of suspicious activity or security incidents. Monitoring logs can help detect unauthorized access attempts, malware, and other security threats.

Deploy and maintain security solutions
Implement a comprehensive suite of security solutions, including antivirus software, intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, and security information and event management (SIEM) tools.

Conduct regular security assessments and audits
Perform periodic vulnerability assessments, penetration tests, and security audits to identify and remediate security weaknesses in systems, networks, and applications.

Educate and train users
Provide cybersecurity awareness training to employees, educating them about common cyber threats and how to recognize and report suspicious activities. Promote a culture of cybersecurity awareness and encourage users to adopt security-conscious behaviors.

Establish incident response procedures
Develop a detailed incident response plan to guide response to security incidents. Define roles and responsibilities, establish communication channels, and conduct regular exercises to test the effectiveness of the incident response plan.

Encrypt sensitive data
Implement encryption technologies to protect sensitive data. Use encryption protocols for securing network communications and encryption algorithms to protect stored data from unauthorized access.

Stay informed about emerging threats
Keep up with the latest cybersecurity trends, threats, and advisories. Stay informed about emerging threats and vulnerabilities relevant to your systems and take proactive measures to mitigate risks.

Report phishing and system irregularities or behavior concerns
Reporting phishing attempts to phishing@nyu.edu helps the University keep up-to-date with emerging attacks on the NYU Community, enabling rapid posting of alerts and updating of filtering software to prevent similar attacks from ever reaching anyone's inbox. If you're not sure if a message is a phishing attempt, report it anyway. It's easier to clear a legitimate message than it is to recover from a successful phishing attack.