The true cost of poor patch management

Managing patches can be an overwhelming task. New technology emerges frequently, and applications are being added at an unprecedented rate, increasing the complexity of the IT environment. Yet, the main issue today is the massive number of vulnerabilities being created along the way.

Patch management, a subset of systems management that involves identifying, acquiring, testing, and installing patches or code changes, has become vital for businesses and organisations. Patches — intended to fix bugs, close security holes, or add features — are important for keeping computers and networks secure, reliable, and up-to-date with key features and functionalities.

Today, patch management has also become essential to ensure and document compliance with security and privacy regulations. It is now mandatory to demonstrate adherence to government-designated requirements. This is even more indispensable for organisations seeking to contract cyber insurance.

Perhaps the harshest reality check of all? It has become humanly impossible to patch everything. Just in 2022 alone, over 25,000 new vulnerabilities were discovered, the highest reported annual figure to date. That means organisations need to focus on those vulnerabilities that constitute security risks for their individual attack surfaces and then prioritise this smaller subset.

How do you fix what isn’t broken?

It’s easy to dismiss apparently well-functioning systems as secure. Many organisations assume that if there is no visible problem, there is no need to update or patch, even despite vulnerabilities. Patching and updating systems are inherently disruptive, so to a degree it makes sense. But that doesn’t make it correct.

The reality is that often organisations lack awareness about the importance of patch management and the potential risks associated with unpatched vulnerabilities. This problem is rooted in a lack of mutual understanding between siloed teams, and the patching process breaks down. This type of poor patch management was the cause of the 2017 Equifax data breach, one of the largest of its kind in history, which cost the company billions in legal settlements, damaged their reputation, and led to the resignation of top executives.

When the security team gets wind of a specific problem and decides to rectify it, production wants to know the why, the priority level, and the how. Here we see the conflict: security’s priority is reducing vulnerabilities, while production’s is ensuring services run consistently. They can’t constantly reboot all apps and stymie the business.

We live in different times

The way we patch our systems hasn’t changed in decades. However, the volume of vulnerabilities has skyrocketed. You would think that organisations would have learned from the 2017 Equifax data breach, but critical software updates continue to be neglected, resulting in high-profile cyberattacks, such as Singapore’s SingHealth data breach in 2018 and the Bank Syariah Indonesia (BSI) data breach earlier this year, among many others.

Organisations that don’t consider regular updates run the risk of allowing cybercriminals to find and exploit these known vulnerabilities. Poor patch management inevitably leads to data breaches, and the cost of data breaches is substantial. The Ponemon Institute reported in 2020 that the average cost of a data breach was US$3.86 million. It gets worse when we include ransomware incidents caused by poor patch management. Take the Maersk shipping company as an example, which incurred losses of over US$300 million due to the NotPetya ransomware attack in 2017. In the same year, the infamous WannaCry ransomware attack cost organisations an estimated US$4 billion worldwide, and the cybersecurity world is still feeling the effect today.

The true cost of poor patch management 

Today, 80% of breaches still come from a lack of basic cybersecurity hygiene that could have been easily prevented through risk awareness, the willingness to confront the problem, and steady investments to solve it. It’s also well known that about four out of five attacks exploit vulnerabilities that were discovered more than five years ago.

Modern tools can (and should) automatically scan an organisation’s systems and software to identify vulnerabilities that include missing patches, misconfigurations, and weak security settings. That’s the first step: You need to have visibility, and it needs to be regularly assessed.

There’s no longer any doubt that prioritised patching is essential to true cybersecurity. Not all patches are of equal importance. Effective vulnerability management equips organisations with automated tools to apply necessary software patches. Issued by vendors, these patches address the most pressing security vulnerabilities which are based on factors like severity, potential impact, relevance to the organisation’s infrastructure, and unique attack surfaces.

To mitigate the conundrum of security and production teams, organisations can create testing environments to assess the impact of patches on their specific software configurations before rolling it out to production. This also minimises the risk of compatibility issues. Modern solutions also offer real-time monitoring and reporting that can provide insights into patch deployment status and system vulnerabilities. This helps organisations stay informed and make data-driven decisions.

What is the future for patch management?

Cyberthreats will always persist and continue to evolve. Likewise, the way we manage patches shouldn’t remain static. As new technologies and vulnerabilities continuously emerge, rapid patching will become increasingly important. Attackers often exploit zero-day vulnerabilities, necessitating the use of prioritisation, automation of patch deployment for non-critical updates, and scheduling to minimise disruption.

Since last year, generative AI tools have swept the world. It won’t be surprising to see patch management solutions start incorporating machine learning or AI for better prioritisation, threat prediction, and prevention.

An effective patch management process ensures not only that systems are kept up to date, but also that these updates are implemented in a timely manner. It leads to a safer world when organisations provide their security teams with the right approach and technologies to decipher and prioritise the vulnerabilities that actually need addressing.

Investing in smart patch management far outweighs the cost of a breach and the wider consequences that organisations face when they neglect this core pillar of cybersecurity.