With few exceptions, most updates are to fix vulnerabilities in products and software. Even with the most rigorous controls and processes, software developers will make mistakes. It is only a matter of time before someone will find them. Once the manufacturers become aware of these vulnerabilities, they will frequently produce an update that fixes them.

After an update becomes available, attackers will learn about the vulnerabilities and develop 'exploits' (tools to attack) that target them. As time passes, it will become easier and less cumbersome to attack systems and services that have not been kept up to date.

Most of the reasons people don’t update their devices/systems are:

We will discuss what to do in each of these situations.

Most software today will have the capacity to manually (or automatically) check for updates.

Recommend that - as a minimum - you check for updates once a month.

As much as possible, enable auto-updates on as many of your devices and systems.

Most devices/services have a way for you to backup the currently running version of their software.

Learn how to leverage the functionality to restore the system if something (like an update) renders it unusable. You can update with confidence because you know you can always fall back to something that works.

Vendors don’t support their products indefinitely.

When you purchase/acquire a product, you should make a special note of its end-of-life date and plan to replace it before that date.

If you can’t replace something before it’s end-of-life, then you should take measures to reduce the risks associated with continuing to use it. For example: Take it off the network.

Occasionally, vendors will announce a critical update. These are usually to resolve a vulnerability that is currently being attacked or is particularly easy/impactful.

Whenever you become aware of a critical update, you should immediately update it to minimize risk.