Why is patching still a problem for businesses?

The sheer volume of cyberthreats and connected devices, along with a lack of cybersecurity resources, means unpatched systems remain a risk.

By Tim Ferguson

Wed 8 Aug 2018 @ 11:19

The issue of unpatched vulnerabilities continues to be at the root of successful cyberattacks and data breaches despite decades of IT departments managing the patching of their company’s software and hardware.

The lack of up-to-date patches leaves organisations at risk. A recent survey by Forrester Research, found that 49 per cent of organisations suffered one or more breaches in the past year, with software vulnerabilities the largest factor in those breaches.

According to the National Audit Office (NAO), the WannaCry ransomware attack that crippled the NHS in May 2017 was able to get into the organisation’s systems due to a vulnerability that existed due to a lack of adequate patching. This was despite NHS Digital issuing critical alerts warning NHS organisations to patch their systems to prevent WannaCry a few months prior to the attack.

Commenting on the NHS breach, Amyas Morse, head of the NAO, said: “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyberthreats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

The attack caused disruption in at least a third of NHS trusts in England, with thousands of appointments and operations cancelled, and many patients having to travel further to accident and emergency departments.

NHS Digital told the NAO that the organisations infected by WannaCry all shared the same vulnerability and “could have taken relatively simple action to protect themselves”. It appears that infected organisations had unpatched or unsupported Windows operating systems, making them susceptible to the malware.

The NHS was not the only high-profile example of a breach caused by a lack of adequate patching when WannaCry came calling. Spanish mobile operator Telefonica and German rail operator Deutsche Bahn were both hit, while Renault-Nissan had to halt production at several sites to contain the ransomware.

There have been other high-profile breaches due to an unpatched vulnerability too: the breach suffered by US-based credit reporting agency Equifax in July 2017, in which the personal data of more than 145 million customers was leaked, was attributed to a missed patch.

So why is this seemingly basic element of IT management still such a challenge for businesses to get right? Much of it has to do with volume of attacks and the level of IT resources that organisations have at their disposal.

The sheer volume of known vulnerabilities is overwhelming for many organisations – with a new security vulnerability identified every 90 minutes. This often means organisations only focus on the most critical issues.

However, according to user data of security company F-Secure, the vast majority of unpatched vulnerabilities are low or medium in severity. As a result there are a lot of potential avenues for cybercriminals to explore.

In addition, organisations’ attack surface has increased. More and more devices containing or providing access to corporate data are connected to the internet – including smartphones, tablets and Internet of Things devices – meaning the number of potential vulnerabilities increases exponentially.

Working out which of your systems will be affected by a new vulnerability is becoming increasingly tricky. Fortunately, tools are available to generate a threat assessment of your organisation’s connection to the internet to give you better visibility of your cybersecurity risks.

More generally, organisations must scan internal systems and applications for vulnerabilities, as well as gain visibility on technology used by employees on an unofficial basis, or ‘shadow IT’.

As the cyberthreat environment changes so rapidly, patching also needs to happen continuously if it is to be effective. If it’s just done occasionally, it’s highly likely that a cyberthreat will find a new vulnerability and make full use of it to get into your organisation’s network.

The other main reason for a lack of sufficient patching is that the process often requires the systems to be taken offline while the updates are carried out. This downtime obviously has a knock-on effect, particularly if it affects critical applications or systems that need to be available at all times. However, it could be argued this is a false economy considering the potential fallout of a major breach.

Patch management isn’t an easy thing to achieve. It requires constant system monitoring to ensure all vulnerabilities – including those on devices that aren’t traditional PCs or servers – are quickly identified and dealt with.

It also needs time to be devoted to understanding the implications of every vulnerability that emerges, prioritise them and address them. Support from leadership is vital to ensure IT has the time and resources to do this effectively.