Turn off, or not? I was recently asked the following question.
"I say that leaving my computer on overnight does not expose it to hacking, but some disagree with me. (You advised me to leave it on as a way to help minimize other possible problems). Please settle this difference of opinion for us."
Is there really a security risk?
The question asked was all about minimizing exposure to security risks.
Secure computers have hardware firewalls, software firewalls, OS-level security, antivirus, antimalware software, and password security, among other layers of security.
Do you seriously think the hackers wait until you are off of your computer to hack it? Not hardly. If it’s turned on and not secured, it doesn’t matter whether you are sitting in front of it or not. You’re still going to get hacked. It’s not an IF, only a question of WHEN.
It’s true that a computer that is powered off is difficult (not impossible) to hack. However, an unsecured computer turning on for 5 minutes has MORE exposure risk than a secured computer being left on for a full year.
The case for maintenance
Computers need to be on overnight in order to do maintenance. Disk maintenance, patches, updates, imaging, backups, etc. Do you really want to do these processes manually? Do you even know how?
The vast majority of businesses leave their computers on all the time so that they can do patches and maintenance. Obviously, they feel it’s secure enough. They realize that if you don’t have enough security in place to protect the computers all the time, then you don’t have enough.
If you don’t have a UPS (battery backup) for your computer, you do accept some risk of a hard down if there is a power outage. This is easy enough to avoid by simply powering off the computer during a lightning storm. However, you may leave in the morning and come back some time in the evening, and there was thunderstorm while you were gone. So investing in a UPS is a great idea. It is a lot less expensive than a fried computer or lost data.
The final answer
So powering off computers overnight does only two things.
- Prevents the needed computer maintenance functions from working. (bad)
- Prevents additional electrical usage.
This is why I say to people to turn them off if they are going away for a day or two or more. Otherwise, leave the computer on so that it can do its maintenance. Most computers don’t really use much electricity. It’s probably costing you a couple dollars per month in electricity to run your computer.
If your computer is connected to a management server that schedules regular maintenance including defrags, inventorying, and patch deployment, then you don't need to leave the computer turned on every night. Your MSP should be able to tell you when patches are being deployed. For instance, QPC tells customers of their patch management services to leave their computers turned on the second Tuesday and Wednesday of each month. This is the time when we expect the bulk of the updates to be deployed.
The second Tuesday of every month is when Microsoft releases patches for its systems. Adobe has synchronized their patch deployment schedule with that timeline. Regarding other updates, we deploy updates as soon as they are released by the software manufacturers and we have tested them. This means that patches are deployed to endpoints typically within 48 hours of the patch's release. Installing patches in a timely manner is exceptionally important in preventing computers from being compromised.