The quest for uptime
When I started experimenting with Linux in the late 90s, my focus was on getting a working system up and running. My initial attempts hit many roadblocks, but after the purchase of a comprehensive book, thanks dad, I was able to get a stable system. I experimented with Linux on a donated Dell desktop and ended up re-installing the operating system repeatedly with each experiment that I tried.
Eventually, my skills developed, and I became focused on uptime. How long could I keep the computer running without a reboot? Each day, the server uptime increased another 24 hours, and it brought me joy. After 365 days, I celebrate the one-year uptime mark with a feeling of triumph. The uptime continued to increase and eventually ended before the two-year milestone due to a power failure. While a bit disappointed with the utility company, I was proud of what I had accomplished.
Moving on from uptime
I was not alone in my quest for uptime as it provided a reassuring feeling to other system administrators. However, as I have aged and the industry has matured, it is clear that uptime is no longer a mark of success.
Today, significant uptime, whether using Windows, Linux, or other software, is usually a sign that systems are not receiving security updates, and in our highly connected and changing IT lives, security updates are vital.
Whenever MSJ evaluates a new prospect or signed client, we have a runbook on how to assess the current systems. One of the first steps is to check system uptime, and when everything was last patched.
We routinely see outdated systems that expose clients to issues and vulnerabilities that are already resolved by the vendor.
A recent review of a new client found servers missing two years of patches and a router missing five years of updates, including the router's vulnerability database that the client pays a license for the functionality.
Why Does this happen
There are many reasons that systems fall behind. The first is that patching takes time and effort. As with all businesses, time and effort have a cost, and this may not be part of your provider's model.
There is also a risk with each software update. Issues can occur during upgrades, which can lead to frustrated clients, and some MSPs worry about their reputation.
Upgrades also need to occur after hours, which requires scheduling and people power at these times to get the jobs done.
There are likely other reasons too, but for us, the risk of not updating clients is a lot worse than the effort required to resolve an issue caused by unpatched systems. Maintained systems are what MSJ prides itself on.
How do you protect yourself
We recommend that all business and systems owners take a few steps to protect themselves. The first simple step is to ask your managed service provider, MSP, when they last patched your systems. Get an answer, preferably via email, so that you can track it.
The second step is to have an employee spot check systems to ensure they have the latest updates. Check your servers, network hardware, and desktops for updates. All resources should not be more than 30 days behind on software updates. If they are behind, talk to your MSP about it.
If you're unsure of how to check your system, reach out to a third-party to perform an audit. A network audit can provide insight into your MSP's work and be used to communicate your wishes with the MSP effectively.