It is common knowledge that regular patching is critical to achieving a high standard of cyber hygiene.
And yet unpatched issues remain a major problem for companies of all sizes. A recent report revealed that 56 percent of reported vulnerabilities are not patched within 90 days.
In fact, many of the most high-profile vulnerabilities in recent years remain unpatched by a considerable number of organizations. Well known issues such as WannaCry and Heartbleed, which was discovered nearly six years ago, are still causing problems for organizations today.
So, why do so many vulnerabilities remain unpatched? Here we take a look at some of the reasons for this.
The challenges of complex business infrastructure
Ensuring that systems and infrastructure are kept up-to-date is considered to be one the basics of good cybersecurity practice. So it is easy to look critically at those organizations that suffer breaches due to unpatched systems. However, it should be pointed out that for many businesses, maintaining systems is not as easy as rolling out fixes automatically.
As systems and issues become increasingly technical and sophisticated, updates to parts of the infrastructure can have unintended results – especially for organizations with large IT estates. IT staff are often hesitant to install updates due to a fear of disruption to the business. So this can lead to long delays before patches are deployed.
For example, many updates require periods of downtime for the system, and this can be impractical or challenging for businesses that operate 24/7.
It is often the case that organizations rely on old legacy systems, which no longer have patches for updating issued by the original vendors.
Obsolete systems present some severe security problems. Not least that they increase the likelihood of vulnerabilities becoming established and exploited by cybercriminals. This can be compounded by the fact that security mitigations may not be present, which means that the exploitations are more likely to succeed.
If there is no way to patch these legacy issues, it may be possible to separate them from the rest of your network. Failing that, it’s advisable to monitor these legacy systems as a priority proactively.
Issues with open-source technologies
Many businesses make use of open-source technology, but this can actually be an issue when it comes to patch management. Open-source technologies are, unsurprisingly, popular and can be found in a range of different services offered by other large technology businesses; an audit by Synopsys revealed that 96% of commonly used applications make use of open-source components.
If vulnerabilities are found in open-source software, they impact a very large number of organizations, and developers may be slow to issue fixes. Research your business utilities and open-source components for the potential problems that these can cause. Being prepared for these challenges will minimize the risk of a breach of your system.
Shadow IT is a term used to describe the use of software and applications by employees without the knowledge and consent of the IT department. This can cause very serious issues, principally because these applications may be insecure and/or are not included in routine patch management processes.
As more and more employees work remotely or bring their own devices in, the rise of shadow IT increases. This makes it more likely that non-approved applications will be utilized by staff.
How to improve your patch management
It is essential that businesses should do everything that they can to identify systems and applications that needed to be patched. As such, your organization should take the time to carry out assessments such as vulnerability scans and penetration tests with the help of independent cybersecurity professionals.
These assessments will help to identify the assets in your system that are most at risk, as well as providing an outside eye on the parts of your system that could potentially be patched. In the cases where patching is impossible, such as obsolete systems, or in challenging environments, cybersecurity professionals will also be able to suggest alternative steps to mitigate any risks.
About the Author: Chester Avey
Chester Avey has over a decade of experience in cybersecurity and business growth consultant. He enjoys sharing his knowledge with other like-minded professionals through his writing. Find out what else Chester has been up to on Twitter: @Chester15611376.