Just like every October, various organizations and businesses are raising awareness about the importance of cybersecurity as part of the Cybersecurity Awareness Month initiative, which was launched by the National Cyber Security Alliance (NCSA) and the Department of Homeland Security (DHS) in October 2004.
At OSIbeyond, we’re delighted to see individuals and companies alike become more aware of cybersecurity issues because we’re keenly aware of the difference awareness can make. One issue that, in our opinion, deserves far more attention than it gets is the prevalence of unpatched software.
It turns out that many people don’t hesitate to click the “remind me later” button when an update notification appears while they’re in the middle of something. While seemingly innocent, this practice has such far-reaching consequences that it wouldn’t be too hyperbolic to call it the Achilles’ heel of cybersecurity.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
Unpatched Software Has Significant Consequences
Everyone has postponed an update, typically to avoid having to save all work and restart the updated device.
Installing a single update a bit later is not ideal, but it’s not a cybersecurity sin either. But when dozens and hundreds of employees keep postponing updates over and over again, and when they’re not notified of available updates in the first place, the consequences can be severe.
According to a survey by security company Tripwire, unpatched software is responsible for approximately one in three breaches.
Cybersecurity ratings company BitSight discovered that failing to patch makes organizations at least 2 times more likely to suffer a breach, and the risk increases by 300 percent when it comes to unpatched desktop software.
Real-world examples of the consequences delayed patching can have are not difficult to find. The 2017 Equifax breach, which exposed the personal information of 145 million people, happened entirely because of an unpatched security vulnerability. The same goes for the 2018 SingHealth breach, which compromised personal data of 1.5 million patients.
Despite poor patching practices having very real and widely documented consequences, two-thirds of vulnerabilities on enterprise networks involve unpatched flaws that are over two years old, as revealed in Bitdefender’s 2020 Business Threat Landscape Report. This has to change to keep cyber threats at bay, and the first step is to realize that not all updates are created equal.
Some Updates Should Never Be Postponed
There are several main types of software updates, and patches are one of them:
Security updates are released for all kinds of software, from operating systems to third-party applications to web browser extensions, and they all address vulnerabilities that can lead to costly data breaches, so figuring out how to reliably install them across all work devices in a timely manner should be every decision maker’s top priority.
Implementing a Comprehensive Patch Management Strategy
To prevent software updates from being the Achille’s heel of your organization’s cybersecurity, you need to implement a comprehensive patch management strategy,
A good first step is to create a detailed inventory of all software and hardware assets, including computers, mobile devices, and network equipment. To make the ongoing maintenance of your inventory easier, and to avoid a whole bunch of other patching-related issues, it’s a good idea to prohibit employees from using their own personal devices for work.
Once you know exactly what needs to be updated, it’s time to make the process of distributing and applying updates to software painless and reliable. Whenever possible, enable automatic updates but configure them so they’re not too disruptive. For example, you can make them install the updates but prompt the user to reboot rather than force them.
Outsource Patch Management in Software Updates
Patch management can become the responsibility of a third-party IT services provider, such as us at OSIbeyond. Using a specialized patch management tool, we can remotely monitor and update all devices used by employees working from the office as well as those in remote or hybrid roles. By making the management of software updates our responsibility, you can maintain both a strong cybersecurity posture and a strong focus on your customers.
Get in touch with us, and let us ensure that unpatched software vulnerabilities won’t ever get in the way of your business objectives.