Otto background

6 Reasons Why Companies Don't Patch

Patching is a major challenge for IT managers everywhere. As WannaCry and its variants showed us, keeping up with patches is difficult. Just 31% of companies running Windows are on the latest operating system (OS), with 60% running Windows versions that no longer receive regular support.

Running an out of date OS triples the risk of a cyber attack. This alone is cause for concern. But if you’re a small to medium enterprise (SME), the news is even worse. A recent Juniper study concluded that SME’s typically run older software and tend to spend less than $4,000 on cyber security, leaving them even more vulnerable to cyber attacks.

So why isn’t patching more of a priority?

“We haven’t been able to get to it,” is a common refrain, and one that is starting to raise a lot of eyebrows. Data security compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS or PCI for short), are implementing stronger requirements. And if you’re looking to transfer risk, Cyber Liability Insurance may not cover an attack if you’re not fully up to date with patching.

Is patching on the back-burner?

IT does not take a devil may care attitude towards security. In fact, it is just the opposite. Security is their number one concern. So why are they putting patching, which can cut a threat footprint in half, on the back-burner? There are a variety of reasons:

  • There are too many patches to keep up with
  • Patching is a manual, time consuming process
  • Lack of resources
  • Some applications can’t be patched internally
  • End user resistance
  • Risk of creating additional problems or bringing the network down

Number of patches in the States

Let’s start with the sheer number of patches released. Thus far in 2017 the US is averaging more than 12 publicly disclosed breaches per day with more than 6 billion records compromised. If you’re already behind on systems security, it’s not hard to see how the number of outstanding patches can quickly overwhelm an already busy IT department.

Even when companies are managing their OS patching, third-party application vulnerabilities are too often overlooked completely, leaving security holes on every endpoint. There are likely as many third-party applications on a device as there are OS applications.

Sometimes operational issues block patching

For many, patching is handled manually or through vendor supplied solutions that only manage their patches (think Microsoft), meaning you have different processes for different applications... Adobe, Java, browsers, etc. To say the process is inefficient is an understatement. On-premise paid solutions can help, but unfortunately, they target the enterprise and are out of reach for many SMEs’ IT departments.

Now combine this with the fact that no one goes to school for patch management and there aren’t many Patch Managers out there (I checked on LinkedIn), and you can see why resources and skills are the top concern of CIO’s globally. Patching requires time and understanding of network dependencies, especially with more applications running in the cloud. Without an increase in headcount and proper training, there is a limit to how much time can be directed to patching.

There are also situations where patching simply can’t be done. Security appliances can only be patched by the vendor, and even then, they are not the most expedient about patching, meaning some of your security process is actually vulnerable. Additionally, legacy software that is required for day to day operations may no longer be supported by the manufacturers. Perhaps they discontinued the product or are no longer in business. Either way, patches simply aren’t available.

End users and patching

End users are all about convenience and rarely consider security during their day-to-day operations. They just want to get their work done as easily as possible without interruption or distraction. The last thing they want is be forced by IT to reboot their laptop (or desktop) in order to install updates.

For IT, updates are just the beginning. The majority of end users still have admin rights on their device and can install software and manage settings on their own. Just knowing what is on each device is nearly impossible, causing frustration and delays for IT Managers trying to ensure system compliance.

The most common reason admins don't apply patches

It's fear, plain and simple.

Applying patches requires stopping and then restarting the application, with some patches requiring a system reboot. Applying a patch, no matter how critical, can result in:

  • The application, itself, no longer working
  • The device locking
  • Other applications no longer functioning properly

Today’s software stacks are more complex than ever, from small companies that hired a contractor to set up their systems and haven’t had that person back since, to large corporations who have intricate system interdependencies. Cloud based applications have enabled interoperability that wasn’t possible a decade ago. The complexity of maintaining infrastructures against attacks is more multifaceted than ever.

The chance that fixing one problem could create other problems and affect the overall network with the potential for service interruptions creates anxiety which too often results in maintaining the status quo. While we know the cost of a cyberattack is undoubtedly higher than the cost of improving the patching process, the perception that “we’re watching it, we won’t be attacked,” overrides the desire to do the work and take the time required to gain executive buy-in on improving the patching process.

An excellent example of this scenario is Java. It is an incredibly popular program that has a significant number of business critical applications relying on it. IT Security managers have challenges patching Java in a timely manner because it will break too many vital applications.

In reality, the percentage of patches that actually cause operational issues is small. But as long as it exists, there will be a lack of trust in applying patches. There is a way to eliminate the fear and instill confidence: patch automation.

Take the pain out of patching

Automox’s cloud-based, automated patching solutions meet you where you are. If you need full “set it and forget it” automation that updates every day, you’re covered. If you have a patch testing process that requires success on a canary environment before deployment, you’re covered there as well. No matter how you deploy patches, you can automate the process with Automox. With instant visibility of system security and compliance across Windows, Mac OS X, Linux, and 3rd party software, you have complete control of system and software patching and configuration from a single dashboard.


Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...