The failure to fully apply security updates (patches) to operating system and software applications is the leading cause of cybersecurity compromise.
A recent survey by Ponemon Institute of over 3,000 organizations with found that half had experienced a cybersecurity breaches in the last 2 years, and majority of these were caused by the exploit of a vulnerability for which a patch was available.
What did the half that had not been compromised do differently? They had patched their environments.
Given that patching is so essential, why don’t more organizations simply patch their environments? Turns out it’s not so simple:
- Patching greatly increases the risk of an outage. The real pain of an actual outage in the “here and now” is felt more acutely than the theoretically larger pain of a security compromise. For this reason, many organizations defer patching indefinitely. See: Will Patching Break My Network?
- Patching of critical systems must occur outside of normal business hours. Many organizations do not staff their IT departments around the clock, yet this is when patching of critical systems must occur.
- Risk is unknown. Many organizations do not scan for unpatched vulnerabilities and do not recognize how exposed they really are. Without hard evidence, it’s difficult to generate the will to act.
Our recommendations? Scan your environment for unpatched vulnerabilities to understand your current level of risk. And don’t procrastinate further to take action to implement an effective patch management process.