It isn’t news that many enterprises are not effectively managing their patch management programs, but here are three things that can help you refine your own position.
Despite what you read in the press, zero-day attacks—where cybercriminals launch attacks targeting a specific vulnerability before the vendor has had time to fix it—are not as common as you think. The real threats are much less attention grabbing. Only last year it was reported that 90% of organisations surveyed experienced some form of cyber attack where the attackers targeted vulnerabilities that were three or more years old. While a staggering 60% of organisations were attacked with exploits 10 or more years old.
Why are attackers using exploits that are that old? Simply because far too many companies have inadequate patch management programs in place and are leaving software and systems unpatched for way too long. All the exploits tracked had been addressed in patches, so it doesn’t take a genius to work out that keeping patches even relatively up to date can help to prevent a huge number of attacks from being successful.
Why is patch management so important?
For cybercriminals, unpatched systems represent one of the most obvious and effective points of entry points into an organisation’s network. A huge amount of work is being done by security researchers on an on-going basis to uncover vulnerabilities in software, and vendors are frequently releasing updates to remediate the problems that are being unearthed. However, if organisations are failing to implement those updates they are effectively leaving the door wide open for cyber criminals.
It’s imperative that enterprises have a good patch management program in place, this way they can make sure that nothing slips through the cracks. It’s easy for a little-used piece of software to get overlooked, and if it doesn’t get patched it can introduce major security holes. But it’s not just about security, patching also ensures that software and systems are working as efficiently as possible as updates also regularly include important operational fixes as well. With such a heavy reliance on technology in the modern workplace even minor software bugs can lead to major headaches and reductions in employee productivity.
So why aren’t enterprises doing a better job?
The reality for many enterprises is that patching can be an incredibly complex process. The Ponemon Institute’s 2018 State of Vulnerability Response survey found that mid-market and enterprise organisations simply aren’t able to protect against known vulnerabilities as well as they think they can for two key reasons:
- They have no understanding of where their vulnerabilities are
Patching is only really effective if you have visibility into your organisation to understand what you have that actually needs patching. The Ponemon study found that over a third of the enterprises they surveyed (37%) said that they didn’t scan for undetected vulnerabilities. At the same time, the survey also points out that doing this actually reduces the risk of breach by 20%.
- They have no way of prioritizing the importance of patches
Again according to the same study nearly two-thirds of enterprises (65%) find it a challenge to prioritize the order of patches. In many cases this is simply because they have no way of identifying the risk to their organisation.
Patching at enterprise level is never going to be a cakewalk, understanding the importance of patching and then making it a top-down priority is your first step in the right direction. Here are three more things that can set you on the road to creating an effective patch management program:
1/ Establish a vulnerability management team within the organisation — this should include all teams that will be affected by a patching program. They should be responsible for establishing protocol and processes, so that the remaining steps can be planned and executed without delays.
2/ Get visibility into your organisational needs — this can be done by deploying a solution that will enable you to have an up-to-date inventory of all the systems and applications within your organisation that need to be patched.
3/ Get visibility into your organisation risk — Threat analytics are the crucial tool in your armoury here. If you understand the attacks and vulnerabilities that are out there you can combine this with the knowledge you now have of your own networks and more effectively assess the risk they pose to your organisation.
By implementing a structured patch management plan based on real an in-depth knowledge of your own risk and threat landscape, you can really strengthen your organisation’s security stance, and create an effective long-term strategy to help reduce the risk of attacks in your environment.