SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Majority of IT security professionals find patching overly complex
Wed, 13th Oct 2021
FYI, this story is more than a year old

A resounding majority - 71% - of IT and security professionals found patching to be overly complex, cumbersome and time consuming, according to a new report from Ivanti.

In fact, 57% of respondents stated that remote work has increased the complexity and scale of patch management.

Today's speed of business has shifted user expectations with new impacts on IT. And the rapid shift to remote work has accelerated digital transformation by seven years. In the Everywhere Workplace, employees connect with various devices to access corporate networks, data and services as they work and collaborate from new and different locations, so patching has never been more challenging.

In fact, unpatched vulnerabilities remain one of the most common points of infiltration for ransomware attacks, which have increased in frequency and impact to businesses of all sizes.

Ivanti says the WannaCry ransomware attack, which encrypted an estimated 200,000 computers in 150 countries, remains a prime example of the severe repercussions that can occur when patches are not promptly applied. A patch for the vulnerability exploited by the ransomware had existed for several months before the initial attack, yet many organisations failed to implement it.

Even now, four years later, two-thirds of companies still haven't patched their systems. Yet organisations around the world are still being targeted by WannaCry ransomware attacks; there was a 53% increase in the number of organisations affected with WannaCry ransomware from January to March 2021.

Patching to mitigate vulnerability exposure and ransomware susceptibility is contending with resource challenges and business reliability concerns. The survey found 62% of respondents said that patching often takes a back seat to their other tasks and 60% said that patching causes workflow disruption to users.

In addition, 61% of IT and security professionals said that line of business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down.

At the same time, the speed of vulnerability weaponisation continues to increase. It's the perfect storm of poor visibility due to the recently decentralised workforce and the growth of sophisticated threat actors targeting critical vulnerabilities.

As threat actors are maturing their tactics and weaponising vulnerabilities, especially those with remote code execution, organisations are struggling with attack surface risk and ways to accelerate patch and remediation actions. IT and security teams simply cannot respond fast enough; 53% said that organising and prioritising critical vulnerabilities takes up most of their time, followed by issuing resolutions for failed patches (19%), testing patches (15%) and coordinating with other departments (10%). The myriad of challenges that IT and security teams face when it comes to patching may be why 49% of respondents believe their company's current patch management protocols fail to effectively mitigate risk.

"These results come at a time when IT and security teams are dealing with the challenges of the Everywhere Workplace, in which workforces are more distributed than ever before and ransomware attacks are intensifying and impacting economies and governments," says Srinivas Mukkamala, senior vice president of security products at Ivanti.

"Most organisations do not have the bandwidth or resources to map active threats such as those tied to ransomware, with the vulnerabilities they exploit," he says.

"The good news is that the combination of risk-based vulnerability prioritisation and automated patch intelligence can bring to light vulnerabilities that are being actively exploited and have ties to ransomware.

"With unique patch reliability, IT and security teams can seamlessly deploy patches and solve for common challenges that are putting organisations at risk."

Top industry leaders, practitioners and analyst firms recommend a risk-based approach to identify and prioritise vulnerability weaknesses and then accelerate remediation. The White House recently released a memo encouraging organisations to use a risk-based assessment strategy to drive patch management and bolster cybersecurity against ransomware attacks. Furthermore, Gartner listed risk-based vulnerability management as a top security project that security and risk management professionals should focus on in 2021 to drive business value and reduce risk.