Efficient and timely patch management can help reduce the risk of a successful compromise. Although patching is a basic security practice, an alarming number of companies have suffered breaches due to unpatched vulnerabilities.
According to a Ponemon Institute study of 3,000 companies, 48 percent of respondents admitted they had suffered a data breach within the past two years — and of those respondents, 57 percent of the breaches were due to an unpatched vulnerability. A 2016 study by software company Symantec found that over 75 percent of legitimate websites have unpatched vulnerabilities.
Despite this, many organizations struggle to build an efficient recurring process due to operational complexities, outdated systems and business priorities. One reason systems may go unpatched is a concern — whether perceived or legitimate — that it may result in performance tradeoffs or disruption to operations during patch testing and implementation.
To make the right decisions for the business, security teams need to be aware of business trade-offs and weigh them against the risks of continuing to operate with an unpatched system.
One way to encourage patch management is to include security and patch management performance metrics as part of the system administration processes for service, application and system owners. This strategy will incentivize operations teams to include patch management in their operations — whereas most teams are only incentivized to ensure that there is no disruption to operations.
Also, developing clear procedures to test patch implementation can help to assuage concerns that the patch will break critical business processes. Creating and using a virtual environment is one option to test patches before deploying them in the live environment. Alternatively, segmenting the network and patching in batches can limit the potential negative consequences.
The second reason that patch management often fails is that it’s a manual process where teams have difficulty prioritizing and implementing the most important patches. Ensuring that IT teams have an up-to-date inventory of every asset and automated checks for patches can help identify when and what needs to be patched.
Also, building a centralized platform that automates certain processes will create a more organized and efficient patch-management program that can result in fewer security vulnerabilities.