We know the reasons patching regularly is a dreaded activity: It’s difficult to keep up with the number of patches required across systems, there is a risk that untested patches can take down business-critical systems, and the time spent manually scanning, testing, and applying patches takes resources away from other pressing IT security needs. This explains why Fortinet1 recently reported that 60% of the companies they protect experienced attacks trying to exploit vulnerabilities that were more than 10 years old. So, what are the consequences if I don’t patch regularly?
Security Vulnerabilities Will Be Exploited
Some companies take a calculated risk in not patching, assuming that their firewalls or antivirus technology will catch major threats before they cause too much harm. However, as malware gets more sophisticated, firewalls are antivirus are less successful at detecting a breach, and the cost of an attack has gone up in the US in recent years.
Out-of-date patches account for 50%2 of all information system vulnerabilities, and the quick spread of ransomware WannaCry in May 2017 exposed the danger of those who had not patched. The majority of those affected by WannaCry were running Windows XP, which had been unsupported for several years, or Windows 10, which had released a patch of the exploited vulnerability two months prior to the ransomware spread. The HeartBleed OpenSSL vulnerability was also exploited once publicized, and led to the breach of 4.5 million patient records a week after the fix had been released.
Once a vulnerability has been publicized, malware is quickly developed to take advantage of it. With thousands of vulnerable endpoints at risk, hackers know that it takes time for companies to download, test, and implement a new patch. In the above cases, not patching regularly led to lost money to ransom seekers, lost business while systems were impacted, potential lawsuits, and ongoing damage to company reputation.
The Cost to Recover is High
The cost of delaying patching falls into two categories: Cost to recover from an attack of an unpatched system, and cost to catch up with patching if it has been ignored.
The costs of an attack vary widely based on the company, size, and attack type. Large data breaches from Target and Yahoo cost $202 million and $350 million respectively, and loss of customer trust can go on for years. In addition to the lost business and settlements that are possible after an attack, there are also huge costs for an IT team to stop an attack and put new procedures in place to prevent a future occurrence.
With an average of 15 new patches released each day3, failure to apply updates on a regular schedule can quickly snowball and result in legacy systems running outdated and unsupported software. In the best case scenario, not patching regularly will result in an extended fire drill for the majority of the IT team, as soon as a compliance audit is due or the CEO decides to check on the status of data security. In the worst case scenario, you’ve fallen victim to an attack and may be looking for a job tomorrow.
Automated Patch Management
Though they know the high costs associated with a data breach, many companies believe that the resource costs to patch manually outweighs the risk that a vulnerability will be exploited in their infrastructure. Fortunately, automated patch management solutions like Automox remove this concern. With an automated solution, companies can see their infrastructure’s vulnerability position in real time, determine which patches they want to apply, and begin patching in minutes, instead of days or weeks.
Automox also provides a level of control never before seen in patch automation, integrating with existing patch testing workflows so you maintain control over how and when patches are pushed to production. Failing to patch regularly because it’s a time consuming process is no longer an excuse. Automox protects you from zero-day exploits, improves infrastructure security, and reduces your vulnerability footprint.
1 https://www.bleepingcomputer.com/news/security/90-percent-of-companies-get-attacked-with-three-year-old-vulnerabilities/2 http://www.information-age.com/why-your-business-cant-afford-not-patch-123459579/3 https://www.csoonline.com/article/3025807/data-protection/why-patching-is-still-a-problem-and-how-to-fix-it.html
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.