Updating software to install the latest security features sounds relatively easy if you’re talking about a laptop or a phone. You simply download an update, wait around for a little while, and the patch is applied with little to no effort on your part.
Patching enterprise software is vastly more complex and a growing risk for companies of almost every size and type. Unpatched business systems are a gold mine for hackers seeking to steal data or hold it hostage. It’s one of the main causes of what Accenture estimates were $21 billion in cybercrime‑related losses to U.S. companies in 2017.
An alarming 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch, according to a new ServiceNow study conducted by the Ponemon Institute. And 34% of those respondents were already aware of the vulnerability before they were attacked.
The root problem, one that’s only getting worse, is what experts call a patching gap. Even though patches for software vulnerabilities are widely available, security and IT teams often lack sufficient knowledge or resources to keep up with them. One primary cause: 37% of breach victims don’t scan their networks and systems to see what they need to fix—a practice considered basic security hygiene.
The situation is so dire, there’s a term for it. “Patch regrets” are widespread among security professionals who know that patching would have saved them some grief.
The patching process isn’t as easy as clicking on an install button, explains Greg White, director of the Center for Infrastructure Assurance and Security at the University of Texas San Antonio.
“You don’t patch systems immediately,” White says. “You test a patch to see if systems act adversely with it. If that happens, you have a critical piece of software that no longer works.” If the patch can’t eliminate the vulnerability, security teams need to find another solution.
Compounding the problem is a shortage of qualified personnel who can sort out which patches are high priority and which ones can wait their turn. “Security teams are overwhelmed,” says Piero DePaoli, senior director of product marketing of security operations for ServiceNow. That’s one reason why security organizations are increasing headcount to close the gap: 64% of security professionals say they’re trying to hire dedicated resources for patching over the next 12 months, according to the survey.
Yet staffing is hardly a cure‑all. For one thing, an acute labor shortage plagues the security profession. More than 300,000 U.S. security jobs went unfilled in 2017, according to a CyberSeek study. “Even if we took every student here and turned them into cybersecurity professionals, we still wouldn’t fill all the positions,” says UTSA’s White. By 2019 there will be an estimate shortage of two million cybersecurity professionals worldwide, according to ISACA.
Two security strategies hold the most promise in the near term. According to the study, companies that avoid cyberattacks tend to be those that can detect vulnerabilities effectively and patch them quickly. Given the skills gap, however, that’s tough to do if you are relying solely on manual processes. DePaoli argues that the industry needs to reduce the burden on people by relying more on automated processes.
Unfortunately, 62% of surveyed companies say they can’t tell whether software vulnerabilities are being patched in a timely way and 57% say their patching efforts fail because their teams are still using spreadsheets and emails to track and assign patching tasks.
Bottom line: If teams can make these processes more efficient, they can take advantage of the people they already have—instead of hunting for scarce talent.