Security professionals know that one of the keys to stopping ransomware is to rapidly patch vulnerabilities on their networks. But many of them admit to lagging behind.
- A new survey of security professionals ranks patch management among the top three tools to fight ransomware.
- Yet fewer than half of respondents said they rapidly patch their systems and applications.
- Four out of 10 data breaches reportedly occur because a patch was available but not applied.
Cybercriminals are fast at finding and exploiting vulnerabilities in companies’ networks and then holding them for ransom. One ploy is to track the constant release of software patches by IT platforms and vendors — and then slip in before companies apply the patches.
“When threat actors are able to go on the offensive within hours or days, organizations that take days, weeks or months to play defense will usually be outmaneuvered,” according to a new report from Osterman Research, sponsored by Mimecast. Only 51% of security professionals surveyed said they are effective at ensuring that all systems and endpoints are patched quickly after patches are released. Breaking down this finding:
- Thirty-six percent said they can patch systems and applications within hours of learning about new vulnerabilities.
- Forty-four percent said they take days.
- The remaining 20% take anywhere from one week to several months.
Separately, a report from the Ponemon Institute found 42% of companies that experienced a data breach blamed their own failure to apply a patch for a known vulnerability.
The Problem with Patching
A patch is a new version of existing software that has been found to contain flaws — known as vulnerabilities if they can allow malicious activity. Some vulnerabilities may have existed for years before their discovery and patching, while others may be introduced in new software versions. Attackers may gain access to a network through a phishing email, for example, increase their level of administrative privileges and target unpatched assets to install programs such as ransomware.
In the Osterman research, patching ranks second only to multifactor authentication as an effective tool against ransomware, cited for its ability to reduce undefended areas and decrease the likelihood of succumbing to an attack. Still, 52% of professionals surveyed said they fear they are exposing themselves to ransomware by not keeping systems and applications patched.
Patching is a perennial problem. “Patching performance this year in organizations has not been stellar,” according to Verizon’s 2021 Data Breach Investigations Report. “Granted, it’s never been great.”
Ponemon estimated it can take 28 days to patch once a critical or high-risk vulnerability is detected on-premises, and 19 days if it is detected in the more centralized cloud environment.
Why Vulnerabilities Remain Unpatched
Many companies lack the needed technology, people and processes to keep up with the never-ending flow of patches from IT platforms and vendors. Even where resources are available, “timely patching is difficult to achieve,” Ponemon says.
At a human level, “few tasks in security are more tedious than vulnerability management,” Cisco reported from a survey of security professionals, calling patching one of the least well-implemented practices in the field. Reasons for delaying or forgoing patches include:
- Time wasted chasing and remediating false positives.
- No tolerance for the downtime required for patching.
- No common view of applications and assets across security and IT teams.
- Manual processes, including emails and spreadsheets, that let problems slip through the cracks.
- Lack of coordination between the security and IT teams.
- Inability to hold departments accountable.
- Fear of unintended impacts from updates on systems and applications.
- Doubt among smaller companies that attackers would target them.
- Old, unsupported software and systems for which patches are no longer released.
The Price of Delayed Patching
There’s a continuous flow of vulnerabilities that expose companies to ransomware. The Microsoft Vulnerabilities Report 2021 estimated 1,268 of them were patched in 2020, up 48% over 2019. That’s just a single tech platform, even if it is the one most used for enterprise productivity. A 2020 headline proclaimed a “patch-a-palooza” of 560 security flaws from six enterprise software makers in a single day. Indeed, the volume of patches can overwhelm security teams.
But leaving vulnerabilities unpatched can cause severe repercussions. The Microsoft report cited the famous WannaCry ransomware attack of 2017, saying that while Microsoft released patches to close the exploit, much of the attack’s spread was from companies that had not applied the patches. The Verizon report’s “year in review” of major breaches around the world last year is filled with instances of unpatched systems.
And the longer a patch is left unaddressed, Osterman says, the more the risks and consequences of ransomware increase along the following arc:
- Initial infection and compromise.
- Lateral movement and persistence.
- Operational disruption.
- Financial compromise.
- Cessation of business operations.
Other risks of delayed patching include compliance and insurance issues. For example, a company that does not keep its software up to date could be subject to fines under Europe’s General Data Protection Regulation (GDPR) if it exposes personal information in a data breach. And cyber insurance providers may not cover breach damages if a company has fallen behind in patching.
Improving Patch Management
The use of manual processes delays patching, according to Ponemon, requiring employees to assign and push through every step. Automation is increasingly available in the form of patch management and vulnerability management tools.
Patch management tools can prioritize vulnerabilities and auto-assign tasks. More sophisticated vulnerability management tools also consult threat feeds and conduct frequent scanning of systems, applications and networks. Even the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently advised companies to “consider using a centralized patch management system.” In addition, some companies outsource some or all of these needs to a service provider.
The good news is that budgets are increasing for counteracting ransomware. Osterman says some of those funds should be dedicated to elevating capabilities for rapid patching.
The Bottom Line
Patching is a basic of cybersecurity hygiene, but companies often fall short of doing the job well. New research underscores its importance in battling ransomware, amid recommendations to put more effort into patch management.
 “The State of Vulnerability Management in the Cloud and On-Premises,” Ponemon Institute
 “Security Patching — The Stuff of Sys Admin Nightmares,” Secure Team
 “Patch-a-Palooza: More than 560 Flaws Fixed in a Single Day,” Dark Reading
 “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” U.S. Cybersecurity & Infrastructure Security Agency
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly