Image: iStock/weerapatkiatdumrong

One of the most common ways cybercriminals hit an organization is by exploiting a known security vulnerability. For that reason, regularly patching your software and other products is a vital way to protect yourself from cyberattack.

But many organizations fail to keep up with the proper patching, thus exposing themselves to great risk. A report released Wednesday by cybersecurity firm Trustwave looks at why security flaws often go unpatched and how organizations can beef up their patch management.

SEE: Incident response policy (TechRepublic Premium)

For its 2021 Trustwave SpiderLabs Telemetry Report, Trustwave examined high-profile vulnerabilities from the past year. The report found that despite the high severity of some of the security flaws that popped up, more than 50% of the servers were unprotected weeks and even months after an update had been released.

As recorded by the National Vulnerability Database, the number of actual vulnerabilities also have increased over the past 11 years, from 4,150 in 2011 to a whopping 18,352 in 2020 (Figure A). So far, 2021 shows 13,002 vulnerabilities, but the year still has another three months left at this point.

Figure A

Number of vulnerabilities published by the National Vulnerability Database from 2011-2021 (as of September 1, 2021).
Image: Trustwave

There are a few reasons why security flaws often go unpatched, according to Trustwave.

First, patching a system is not always as simple as just installing an update. Some systems are highly complex and mission critical. As such, they may require several levels of testing and approval from different teams to make sure that a given patch won’t create more problems than it solves.

Second, not all organizations have the staff or personnel available to focus exclusively on patch management. Some simply don’t have the budget to set up a dedicated team, which means certain staffers have to juggle multiple roles and tasks.

Third, some organizations lack the right process or strategy for fully testing, installing and deploying security patches.

Adding to the risk, many older or outdated applications and services are accessible from the public internet. Savvy cybercriminals who scan for known vulnerabilities can easily compromise an unpatched and unprotected resource without the organization knowing about it.

SEE: Patch management policy (TechRepublic Premium)

To help organizations get a better handle on their patch management, Trustwave offers the following four recommendations.

  1. Assign an individual or a team to design a security program that covers risk management and policy. Your best bet is to enlist someone already on staff with the necessary knowledge and skills to handle this. If you can’t find the right person or can’t devote someone to this task, look for an external professional who will assist internal IT or security people until they can eventually take over.
  2. Provide training to all employees beyond those in IT who manage critical systems. Despite the advent of artificial intelligence, certain critical security flaws demand human interaction. Educate employees with regular security training and provide the required support material. Ensure that everyone is following the right security policies and guidelines and make sure they understand the importance of proper security.
  3. Don’t forget about older or outdated systems as these are often the ones most easily attacked. Ask the owner of each system to access its current status and devise a patch management plan by working with the security team.
  4. Implement an effective incident response plan. Though you want to avoid being victimized, you need a plan in place in the event you are compromised. This type of plan should reduce the damage that a cyberattack inflicts on your organization.