Don Bloom's Web Log

Software Updates and the Small Business

This entry was posted on 10/23/2006 2:18 PM and is filed under Risk Management,Productivity.

To minimize the risk of software updates, larger companies actually set up test environments to apply them and review the impact on daily operations. The smaller the business, the less practical this approach is since it requires significant expenditure for IT and Human resources. So how can a small company reduce the risk of applying the software patch that comes with its own problems, making things worse, rather than better?

I don’t know of any software company – Microsoft and McAfee included – that has worked out a fool-proof mechanism for determining beforehand every side-effect a specific update could have on any given computer.

Their problem leaves the typical small business and their computer users without a solution for dealing with difficulties encountered because of updates that are supposed to make the software they sold you better in some way – more capable, more efficient, faster or safer. If you're someone who has suffered through difficulties caused by just such an incident, it doesn’t help you to know that they’re not that common. It just seems like they are because you don’t hear about the millions of successful updates, only the hundreds (OK, sometimes more like thousands) that don’t work!

Working with small companies, I’m inclined to recommend and implement procedures where updates for all software are only downloaded, but not installed. On a regular schedule, sometimes as often as weekly, someone either sends in the list of pending updates and they’re checked against known problems, or a technician actually applies the appropriate updates. This is typically done along with other regularly scheduled maintenance like system performance tuning (e.g. disk space management) and security reviews (e.g. virus and spyware checking.) The cost for that regular maintenance keeps things running smoothly and is viewed more or less like vehicle maintenance – think “100 hours of computer usage or 30 days, whichever comes first.”

Smaller organizations or individuals who don’t feel they have the funds to keep up with a maintenance program, need a different approach, one that within the industry is quaintly referred to as “break – fix” work. Essentially, you wait for something to break then spend money to fix it. This is not per se a bad approach. It’s just a trade-off of the risks associated with possibly spending too much on regular monthly maintenance to prevent some problems, versus spending very little or nothing on maintenance and suddenly having a serious problem with attendant high cost to fix. But, as is often said, “That’s a management decision!”

Maybe I should also say explicitly that it is not a technical decision. There are certainly technical risks, but like all business risk, management has to make the decision as to which course of action to follow. Bad things can happen. Computer hardware will fail. Computer software will fail. No simple answer can suffice to tell a business owner which risk is worth taking and which should be avoided. Given all the facts about a business, it’s not difficult to come up with reasonable estimates of the potential cost trade-offs among statistically probable computer failures: the costs of waiting for a failure and then fixing it; the costs of a regular maintenance program; and the costs of fixing the problems that will occur anyway given the level of maintenance you’ve decided on, including “none.”

There may not be a way of preventing all of the potential problems, but there are certainly ways of planning for them, managing your response to them and recovering from them without your business being disrupted any more than absolutely necessary. (… and without spending so much to do it that your business is disrupted … more than necessary!)