A recent N.America / EMEA survey points to the many challenges of system patching, but laggards may WannaCry if they delay.
In a survey of about 500 enterprise IT and security professionals across North America and EMEA, 71% of respondents who were IT and security professionals found patching to be overly complex, cumbersome and time consuming.
Also, 57% of respondents stated that remote work had increased the complexity and scale of patch management.
The data from the survey indicated that respondents were struggling with attack surface risk and ways to accelerate patch and remediation actions. IT and security teams simply cannot respond fast enough, with 53% of respondents indicating that organizing and prioritizing critical vulnerabilities took up most of their time, followed by issuing resolutions for failed patches (19%), testing patches (15%) and coordinating with other departments (10%).
Other findings
The myriad challenges that IT and security teams in the survey faced when it came to patching could explain why 49% believed their company’s current patch management protocols failed to effectively mitigate risk. Also:
- 62% of respondents said that patching often took a back seat to their other tasks, and 60% said that patching caused workflow disruption to users.
- 61 per cent of IT and security professionals in the survey said that business owners whose production systems cannot be brought down always ask for exceptions or push back maintenance windows once a quarter.
Srinivas Mukkamala, Senior Vice President of Security Products, Ivanti, the firm that commissioned the survey said workforces are more distributed than ever before, and ransomware attacks are intensifying and impacting economies and governments. “Most organizations do not have the bandwidth or resources to map active threats such as those tied to ransomware. The good news is that the combination of risk-based vulnerability prioritization and automated patch intelligence can bring to light vulnerabilities that are being actively exploited and have ties to ransomware. With unique patch reliability, IT and security teams can seamlessly deploy patches and solve for common challenges that are putting organisations at risk.”
The White House recently released a memo encouraging organizations to use a risk-based assessment strategy to drive patch management and bolster cybersecurity against ransomware attacks.
A prime example of the severe repercussions that can occur when patches are not promptly applied is the WannaCry ransomware attack, which encrypted an estimated 200,000 computers in 150 countries. This was despite the fact that a patch for the vulnerability exploited by the ransomware had existed several months before the initial attack. Yet many organizations failed to implement it.
Even now, four years later, many companies still have not patched their systems.