After 2021, the IT community is definitely convinced about the importance of patching. We’ve seen many cases when hackers exploited known vulnerabilities, even after patches were available. The most prominent example was the flaws in Exchange Server flaws — Microsoft provided patches in March but the vulnerabilities continued to be exploited by hackers until recently as 30,000 Internet-facing Exchange Servers remain unpatched. More broadly, the Action1 survey conducted in September found that 62% of organizations recently suffered security incidents that involved a known vulnerability for which a patch was available but was not yet deployed. Such successful cyberattacks can be devastating, leading to prolonged downtime, compliance fines, reputational damage, and more.
In this article, I provide an in-depth analysis of what is keeping organizations from establishing a solid patching program and offer practical tips for overcoming those challenges.
Why Companies Cannot “Just Patch”
Multiple factors keep organizations from deploying patches promptly and efficiently. First, multiple vulnerabilities are being discovered on a daily basis. The National Vulnerability Database added almost 17,000 in 2021 alone. One of the causes of this recent flood was that, as the pandemic accelerated digital transformation, application vendors hurried to bring their products to market, and less testing means more updates.
Second, deploying patches can lead to costly downtime that organizations can ill afford. For example, when Microsoft released the patch for the PrintNightmare vulnerability, some experts warned that deployment could lead to downtime; as a result, security teams at many organizations, especially those that rely heavily on printed documents, spent more time preparing than actually deploying the fix.
On the top of that, patching has always been time-consuming and labor-intensive for geographically distributed enterprises, and the move to remote and hybrid workforces and the IT skills shortage has made it even more difficult. In particular, installing patches via VPN using home broadband networks is highly prone to errors: People can decline updates, close their laptops during patching, and so on. Indeed, our survey showed that it takes organizations more than twice as long to deploy critical patches when endpoints are remote.
Establishing a Solid Patch Management Program
While a robust patch management program is an essential element of any organization’s security posture today, it can’t be achieved using a single technology; it requires a more complex approach. Here are the key elements of a successful patching strategy.
Prioritization of patches based on risk is vital to dealing with the flood of patches. To prioritize effectively, security teams need to assess the likelihood of a given vulnerability being exploited and the value of the asset at risk. For example, patches for critical systems that are internet-facing need to be deployed promptly because both the likelihood of exploitation and the potential for damage are high. Patches for less business-critical vulnerabilities can be taken care of later.
Automation is another essential strategy for ensuring prompt patch deployment. However, our study found that 14% of organizations do not automate patching at all, and 59% automate patching for operating system patches only. But other software products are prone to dangerous vulnerabilities, too. For example, Chrome has already issued 10 zero-day patches in 2021, including two urgent updates in September for flaws that were being actively exploited, and in October, Adobe published emergency patches for 92 security flaws across 14 of its products. Deploying such updates manually significantly increases the risk of errors, delays and missing patches that can result in successful attacks. With modern enterprises relying on average on 464 different applications, it is essential to automate patching for all enterprise software across both remote and office-based machines.
Software inventory and management enterprise-wide is another critical aspect of a solid patch management program. While it is common knowledge that using outdated software is dangerous, some companies still do it. For example, a Florida water plant that was hacked in February 2021 used outdated Windows 7 PCs. In September 2021, security researchers shared some details on another cyberattack, in which hackers exploited an 11-year-old vulnerability in a system that had reached end-of-life in 2016, and deployed Cring ransomware. It is essential for IT teams to have clear insight into all systems and to be able to update or remove outdated ones.
Supporting Ongoing Agility, without Compromise
Organizations worldwide are eager to unlock the flexibility, agility and other benefits of a remote or hybrid work model. Using the practical tips provided here, they can implement a solid patch strategy to achieve those goals — without sacrificing security or business continuity.
Mike Walters is co-founder and President of Action1 Corporation, which provides remote monitoring and management software. Mike has more than 20 years of experience in IT technology and IT security. Prior to Action1, Mike co-founded Netwrix, whose visibility platform for cybersecurity and risk mitigation is helping more than 10,000 customers.