The root cause of most digital security breaches is unpatched software with known vulnerabilities.
A vulnerability is like a back door in which hackers and cyber-criminals can access your systems. Once inside, your data is in their hands.
The WannaCry ransomware attack is a recent example of a known vulnerability being exploited to great effect. This attack locked affected users out of their information, demanding payment to return access to their files. As with most ransomware attacks, paying the ransom is not a guarantee the files will be unlocked.
A patch for this specific vulnerability was released by Microsoft in March 2017. Two months later, and within one day, the WannaCry worm infected more than 230,000 computers in over 150 countries. As well as several NHS Trusts in England and Scotland, Nissan Motor Manufacturing UK, FedEx, Deutsche Bahn, and Renault are just a few organisations from around the world to fall victim.
Patching habits across organisations are erratic. While some will patch within the first week or month, some will wait longer or never apply the patch at all.
Prompt installation of the Microsoft patch would have prevented the WannaCry breach and the significant disruption it caused. In light of this, why is it that patching remains a problem for so many organisations?
Why is patching such a problem?
According to the Microsoft Security Intelligence Report, 5000 to 6000 new vulnerabilities are released each year. That averages out at around 16 each day. Each time a new vulnerability comes to the attention of software providers, a patch must be released to address it.
Many organisations choose not to use automatic patch mechanisms, in order to test the patch in their own environments first. Manual patching, however, requires far more resource. While each security-related patch is designed to fix a specific issue, the impact of the update on an organisation’s systems and applications cannot always be foreseen. Testing minimises the risk of unprecedented issues interrupting business.
By the time each patch has been adequately tested and rolled out across all necessary devices, it is likely another security patch has been released. Patch management is, therefore, a constant job.
Getting away from the threat of not being patched requires some organisational soul searching. Do you have enough resource? Do your processes need tightening? Can your testing phase be streamlined or optimised further? How do you identify and prioritise applications that are most likely to be exploited? Has your patch management team been given rightful authority to apply patches, or have they been told certain areas are hands-off? Do you rely on applications that are more widely exploited (such as Java and Internet Explorer), and could you move away from these in the future to less widely exploited applications?
It might be a tough pill to swallow, but it seems many organisations are unwitting participants in the cyber-security problem. Identifying the obstacles that stand in the way of better patching within your organisation is the first step towards addressing this issue.