You might have the most sophisticated cyber defenses, use a zero-trust network, and have trained your employees not to fall for phishing scams or share sensitive data outside the company. But if you don’t update your critical infrastructure with important security patches, all that effort can go to waste.
That’s not too far from reality today, according to new research by ServiceNow and the Ponemon Institute. The study shows that despite continual warnings and well-known risks, many organizations still fail to maintain basic security protocols on critical systems.
The volume of cyberattacks jumped 17% in the last year. Yet it’s taking up to seven days longer to implement a patch than it did in 2018
In the summer of 2019, Ponemon surveyed nearly 3,000 security professionals in nine countries to understand how their organizations respond to software vulnerabilities. Just under half the respondents said their organizations suffered a data breach over the past two years. Of those, nearly 40% were aware of those risks before the breach occurred, and 60% said that while they had the available patches, they simply couldn’t install them in time.
The situation is only getting worse. The volume of cyberattacks jumped 17% in the last year. Yet it’s taking up to seven days longer to implement a patch than it did in 2018. And the longer a vulnerability is exposed, the greater the chance it will be exploited.
“IT departments and security teams understand that detecting and patching vulnerabilities is very important, but they still struggle to prevent these attacks,” says Sean Convery, vice president and general manager of security and risk at ServiceNow. “Automated security continues to be organizations’ most effective strategy in preventing attacks, but patch management remains heavily reliant on manual processes that struggle to keep pace with the rate of threats.”
Part of the blame lies with software vendors that delete old-yet-still-relevant vulnerability data, change how they deliver security bulletins, or alter the frequency with which they issue updates, according to Tyler Reguly, R&D manager at the cybersecurity firm Tripwire. That makes it harder for IT security teams to manage maintenance windows across large enterprises.
“Patch management is getting worse, which is leading to more breaches,” Reguly says.
Old tools for a new job
Another big reason for the gap is that more than half of all organizations are still managing patches manually using tools like email and spreadsheets. As a result, 69% say they plan to hire another five full-time security employees to keep up with the deluge of available fixes.
Data silos and internal turf wars further exacerbate the situation. Nearly 90% of surveyed security pros report that the need to coordinate their response across different internal teams is an additional barrier, delaying patch implementation by an average of 12 days.
Failing to patch known vulnerabilities is a bit like leaving your keys in your car or your front door unlocked, says Charles King, president of Pund-IT, a technology consultancy. “If a criminally minded person or group comes knocking, you’ve made their jobs easier,” he says. “Patching known vulnerabilities doesn’t guarantee you won’t be attacked, but it’s one of the best things organizations can do to protect themselves.”