6 Reasons Why Companies Don't Patch

Patching is a major challenge for IT managers everywhere. As WannaCry and its variants showed us, keeping up with patches is difficult. Just 31% of companies running Windows are on the latest operating system (OS), with 60% running Windows versions that no longer receive regular support.

Running an out of date OS triples the risk of a cyber attack. This alone is cause for concern. But if you’re a small to medium enterprise (SME), the news is even worse. A recent Juniper study concluded that SME’s typically run older software and tend to spend less than $4,000 on cyber security, leaving them even more vulnerable to cyber attacks.

So why isn’t patching more of a priority?

“We haven’t been able to get to it,” is a common refrain, and one that is starting to raise a lot of eyebrows. Data security compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS or PCI for short), are implementing stronger requirements. And if you’re looking to transfer risk, Cyber Liability Insurance may not cover an attack if you’re not fully up to date with patching.

IT does not take a devil may care attitude towards security. In fact, it is just the opposite. Security is their number one concern. So why are they putting patching, which can cut a threat footprint in half, on the back burner? There are a variety of reasons:

  • There are too many patches to keep up with
  • Patching is a manual, time consuming process
  • Lack of resources
  • Some applications can’t be patched internally
  • End user resistance
  • Risk of creating additional problems or bringing the network down

Let’s start with the sheer number of patches released. Thus far in 2017 the US is averaging more than 12 publicly disclosed breaches per day with more than 6 billion records compromised. If you’re already behind on systems security, it’s not hard to see how the number of outstanding patches can quickly overwhelm an already busy IT department.

Even when companies are managing their OS patching, third party application vulnerabilities are too often overlooked completely, leaving security holes on every endpoint. There are likely as many third-party applications on a device as there are OS applications.

Next are operational issues. For many, patching is handled manually or through vendor supplied solutions that only manage their patches (think Microsoft), meaning you have different processes for different applications... Adobe, Java, browsers, etc. To say the process is inefficient is an understatement. On-premise paid solutions can help, but unfortunately, they target the enterprise and are out of reach for many SMEs’ IT departments.

Now combine this with the fact that no one goes to school for patch management and there aren’t many Patch Managers out there (I checked on LinkedIn), and you can see why resources and skills are the top concern of CIO’s globally. Patching requires time and understanding of network dependencies, especially with more applications running in the cloud. Without an increase in headcount and proper training, there is a limit to how much time can be directed to patching.

There are also situations where patching simply can’t be done. Security appliances can only be patched by the vendor, and even then, they are not the most expedient about patching, meaning some of your security process is actually vulnerable. Additionally, legacy software that is required for day to day operations may no longer be supported by the manufacturers. Perhaps they discontinued the product or are no longer in business. Either way, patches simply aren’t available.

That brings us to end users. They are all about convenience and rarely consider security during their day to day operations. They just want to get their work done as easily as possible without interruption or distraction. The last thing they want is be forced by IT to reboot their laptop (or desktop) in order to install updates.

For IT, updates are just the beginning. The majority of end users still have admin rights on their device and can install software and manage settings on their own. Just knowing what is on each device is nearly impossible, causing frustration and delays for IT Managers trying to ensure system compliance.

The most common reason for admins not applying patches is fear.

Applying patches requires stopping and then restarting the application, with some patches requiring a system reboot. Applying a patch, no matter how critical, can result in:

  • The application, itself, no longer working
  • The device locking
  • Other applications no longer functioning properly

Today’s software stacks are more complex than ever, from small companies that hired a contractor to set up their systems and haven’t had that person back since, to large corporations who have intricate system interdependencies. Cloud based applications have enabled interoperability that wasn’t possible a decade ago. The complexity of maintaining infrastructures against attacks is more multifaceted than ever.

The chance that fixing one problem could create other problems and affect the overall network with the potential for service interruptions creates anxiety which too often results in maintaining the status quo. While we know the cost of a cyberattack is undoubtedly higher than the cost of improving the patching process, the perception that “we’re watching it, we won’t be attacked,” overrides the desire to do the work and take the time required to gain executive buy-in on improving the patching process.

An excellent example of this scenario is Java. It is an incredibly popular program that has a significant number of business critical applications relying on it. IT Security managers have challenges patching Java in a timely manner because it will break too many vital applications.

In reality, the percentage of patches that actually cause operational issues is small. But as long as it exists, there will be a lack of trust in applying patches. There is a way to eliminate the fear and instill confidence: patch automation.

Automox is a new breed of solutions that has taken the pain out of patching.

Automox’s cloud based, automated patching solutions meet you where you are. If you need full “set it and forget it” automation that updates every day, you’re covered. If you have a patch testing process that requires success on a canary environment before deployment, you’re covered there as well. No matter how you deploy patches, you can automate the process with Automox. With instant visibility of system security and compliance across Windows, Mac OS X, Linux, and 3rd party software, you have complete control of system and software patching and configuration from a single dashboard.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic