Why are systems still being left unpatched in 2020?

Patching systems is like changing underwear and brushing teeth. It should be one of those things that happen routinely to maintain good security hygiene on your technical infrastructure. Yet nearly 60% of all breaches involve unpatched vulnerabilities.

Still, here we are, year after year pleading with organizations to prioritize this critical step in their quest to be more secure. If patch management is so routine, why are so many businesses struggling with making it happen and what can they do to get around some of the obstacles in their way?

Asset Management

One of the primary reasons many organizations fail to protect their systems is due to the simple unawareness of what they have in the first place. We've all heard the old saying, "you can't protect what you don't know about". This is too often the case in both small and large businesses due to poor asset management and system ownership assignment.

It's important to create a strong process (which does not have to come at a major cost) to track assets, their locations, owners, applications installed, classification, and more. This step alone will lead to a more thoughtful and safe patch and vulnerability management, along with accountability when necessary. It doesn't matter who owns this process. What's more important is that someone in the organization does.

End of Life Systems

Let's face it - sometimes there are legitimate reasons for organizations having systems in place that are no longer supported with patching and firmware updates. It's the harsh reality of business and IT and at times the fault of nobody. Instead, it's a necessary business decision made to be cost-effective and profitable. The need to remain profitable cannot be the reason for leaving yourself completely exposed, however. There are other steps your business can take to protect these unpatched systems while you wait to raise the capital needed to replace them.

Consider building additional segmentation and access controls into your network to avoid a situation where your unpatched systems are sharing a network with other critical technology. It's important, to be honest with yourself and recognize that these systems are presenting a risk, albeit a necessary one, and need to be restricted from how they can communicate with your healthy systems.

Complexity and Tolerance

Many organizations think their model is too complex to do patch management well. Maybe there are thousands of systems managed by several different technical groups across the business. Perhaps you don't have the leadership support necessary to get it done because of historical issues that have come with patches. While patches are necessary and provide system updates and more security, it's not uncommon for them to come with issues from time to time. This is why it's important to not only test patches first, but also find a sweet spot between the date they are released and the date you implement them.

Often the systems needing to be patched are managed by a vendor. IoT and medical devices are often in this group; however, this can be addressed upfront during the contracting phase of procurement to ensure the right level of SLA's and expectations are set.

Regardless of the reasoning, it's rarely good enough to justify not patching your systems on time. An argument could be made that every security control and technology being implemented over time is less productive and cost-effective than simply implementing a strong patch management strategy. Furthermore, you could find yourself investing in technologies and process changes to compensate for the lack of patching taking place.

Simply patching your systems on time will net you more security than nearly all technical products offered on the market today. Don't take no for an answer when pursuing stronger patch management.

For more information, please contact info@advosec.com

#patchmanagement #vulnerability #IoT