Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
Enterprises that procrastinate about implementing software patch management give cybercriminals more time to weaponize new endpoint attack strategies.
A clear majority (71%) of IT and security professionals see patching as overly complex, cumbersome, and time-consuming. In addition, 57% of those same professionals say remote work and decentralized workspaces make a challenging task even more difficult. Sixty-two percent admit that patch management takes a backseat to other tasks; device inventory and manually based approaches to patch management aren’t keeping up.
IT integrator Ivanti’s report on patch management challenges, published on October 7, provides new insights into the growing number of vulnerabilities enterprises face by dragging their feet about improving patch management. Most troubling is how cybercriminals try to capitalize on these patch management weaknesses at the endpoint level by weaponizing vulnerabilities, especially those with remote code execution and quick-hit ransomware attacks.
Ivanti surveyed more than 500 enterprise IT and security professionals across North America, Europe, the Middle East, and Africa. The results are startling in why and how often patches get pushed back, leaving enterprises more vulnerable to breaches.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
The high cost of slow patch management
The survey found that 14% of the enterprises interviewed (70 of 500) have experienced a financial hit worth between $100,000 to more than $1 million to their businesses in the last 12 months that could have been avoided with better patch management. The Institute for Security and Technology found that victims forced to pay a ransom increased more than 300% from 2019 to 2020. According to its Internet Crime Report, the FBI found that the collective cost of the ransomware attacks reported to the bureau in 2020 amounted to about $29.1 million, up more than 200% from $8.9 million the year before. The White House recently released a memo encouraging organizations to use a risk-based assessment strategy to drive patch management and bolster cybersecurity against ransomware attacks.
Not getting patching right can have disastrous consequences, as the WannaCry ransomware attack demonstrated. This was a worldwide cyberattack surfacing in May 2017 that targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
With more than 200,000 devices encrypted in 150 countries, WannaCry provides a stark reminder of why patch management needs to be a high priority. A patch for the vulnerability exploited by the ransomware had existed for several months before the initial attack, yet many organizations failed to implement it. As a result, enterprises still fall victim to WannaCry ransomware attacks today. There was a 53% increase in the number of organizations affected by WannaCry ransomware from January to March 2021.
Often, the line-of-business owners across an enterprise pressure IT and security teams to put off urgent patches because their systems can’t be brought down without any impact on revenue. Sixty-one percent of IT and security professionals say that business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down. In addition, 60% said that patching causes workflow disruption to users. While enterprises slow the pace of patch deployments, cybercriminals accelerate vulnerability weaponization efforts.
Enterprises struggle to control new cyberattacks
Many IT and security teams are now stretched thin and struggle to control the many new attack surface risks their enterprises face. Ivanti’s survey shows that IT and security teams aren’t able to respond quickly enough to avert breaches. For example, 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time, followed by issuing resolutions for failed patches (19%), testing patches (15%), and coordinating with other departments (10%).
The myriad challenges that IT and security teams face regarding patching may be why 49% of IT and security professionals believe their company’s current patch management protocols fail to mitigate risk effectively.
Like enterprises, cybercriminals recruit new talent to help devise new approaches to weaponizing vulnerability techniques they see working. That’s why enterprises must define a patch management strategy that scales beyond device inventory and manually based approaches that take too much time to get right. With ransomware having a record year, enterprises need to find new ways to automate patch management at scale now.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.