Askhat - stock.adobe.com
The process of testing and installing security patches is an increasingly massive headache for IT staff, and as a result companies are left vulnerable to attacks.
That's according to a survey by security vendor Ivanti, who polled a set of 500 enterprise administrators and security professionals and found that, by and large, patching was not a top priority for many IT departments.
The security firm found that of the 500 professionals polled, 71% said that they found patching to be "overly complex and time-consuming," and 62% said that getting patches tested and installed often takes a back seat to other tasks. In addition, 57% of respondents said the shift to decentralized workspaces and environments has made patch management more complex, not less.
"These results come at a time when IT and security teams are dealing with the challenges of the everywhere workplace, in which workforces are more distributed than ever before, and ransomware attacks are intensifying and impacting economies and governments," said Srinivas Mukkamala, senior vice president of security products for Ivanti.
"Most organizations do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit."
In the survey, more than half of the respondents (53%) said that organizing and prioritizing vulnerabilities to be patched took up most of their time, 19% said that resolving problems from bad patches was the biggest time-waster and 15% reported that testing patches took the lion's share of their time.
"This is alarming because the longer vulnerabilities remain unpatched, the more exposed a business is to the risk of an attack or ransomware," Ivanti noted in its report. "However, no organization can patch all its exposure points and risk-based prioritization must be done quickly to keep ahead of automated adversarial attacks."
Putting off the patch installation was not always the network admin's own call. Of the 500 polled, 61% of respondents said that every quarter, management or business owners had told them to put off patch installations in favor of other tasks. What is worse, 28% of those surveyed said that such orders from management often come at least once per month.
This, of course, is a particularly bad practice at a time when ransomware attacks against enterprises have skyrocketed. With exploits against unpatched vulnerabilities being one of the most common methods of entry, putting off patches is an incredibly big security risk. Yet 49% of respondents believe their organization's current patch management protocols don't effectively mitigate risk.
The respondents, however, were fairly divided as to whether the pandemic-driven transition to remote work has made the process of patching more difficult. When asked if remote work made patching more complex, 53% said that their complexity had "moderately increased," but 41% had said they had not seen any increase. The remaining 6% was split between "greatly increased" at 4% and "slightly easier" at 2%.
Ultimately, however, Ivanti concluded that between remote work and the growth of mobile applications and cloud services, getting everything properly patched and secured is a bridge too far for many.
"In this scattered ecosystem, employees use various devices to access enterprise data, networks, and applications to keep working from anywhere, anytime," the security firm said.
"These decentralized workstations are more prone to significant threats from bad actors, who are capitalizing on the sudden shift to a perimeter-less workspace and as a conduit to infiltrate organizations."