There never used to be a fuss about it.
In the past, updating software was about developers fine-tuning their programs, making extra features available and tweaking the way they work for optimal end-use.
But with cyber crime advancing to the level it is today, updating software is as much about fixing recently discovered bugs and addressing the latest security issues.
Some updates are small enough to run in the background, but many require an actual download. These larger pieces of software are called patches, and it’s up to you to install them. They’re usually free and are necessary for your system and programs to continue running smoothly and, above all, safely.
Problems with patching
However, there are drawbacks associated with patching that result in them not being installed timeously, if at all. These are the drawbacks:
- It takes a lot of time to manually apply a patch across all company devices.
- There’s reluctance to apply a patch until certainty about its performance has built up.
- If every application needs its own update, which download do you prioritise?
Cyber attackers bank on the above, and the fact that many companies won’t install the latest patches immediately. During this window of opportunity, they have free reign to attack.
For commonly used third-party apps such as Adobe Reader, Adobe Acrobat, Flash Player and Mozilla Firefox new updates become available every week, sometimes more than once.
Microsoft Teams updates also automate every two weeks and Zoom about once a month. Multiply these apps by the devices linked to your company, and the task of keeping up with all the updates becomes a disruption in itself.
Because apps like these are so widely used, they’re obvious targets for cyber criminals, who have a better hit rate with them. When a patch is announced, it alerts them to a vulnerability and they quickly get on to finding it, knowing they have a window of opportunity to exploit it.
According to Verizon’s Data Breach Investigation Report, 70% of cyber attacks were linked to a vulnerability for which a patch was available, but not installed.
An independent survey conducted by Ponemon showed the average timeline for patching critical vulnerabilities can be as much as 16 days. That’s plenty of time for an opportunistic hacker to make headway.
There’s no better example of a cyber attack that could’ve been avoided than the infamous and far-reaching WannaCry ransom attack, which spread across 150 countries and caught more than 300 000 computers without the available patch.
As soon as an app goes out of date, hackers target the vulnerability and inject malware into the unpatched system. Attackers can only target exposed systems; they can’t create exposed systems. Therefore, it’s entirely up to a company to ensure its system isn’t exposed.
Keeping all of a company’s applications up to date – across all devices – can end up being a fulltime job, but it’s one that must be done.
If you’re not managing to stay on top of patching, the alternative is a patch management service, where all patching happens automatically as soon as a patch becomes available. It reduces your vulnerability time and requires no user intervention. Once installed it will keep on patching in the background.
If you think patch management may solve your patching problems, chat to us about your options.