Would you leave the door to your business open all night? What about the door to your home? Not just unlocked but open, with the light on and maybe a guide light? Not patching known vulnerabilities is leaving a door open. More than half of IT security professionals report that “unpatched software is the primary cause of breaches within their organizations.” So it should be no surprise that many of the most damaging (and expensive) cyberattacks have been due to organizations delaying patching or altogether neglecting it.
Patching is the core of good cybersecurity — without it companies are leaving known vulnerabilities open to attack. But if that isn’t reason enough to close open doors, here are several billion reasons to patch.
More Than $10 Billion in Damages
Three infamous cyber events have deep connections with patching — more precisely the failure to patch: the Equifax Breach, WannaCry, and NotPetya.
The Equifax Breach affected 145.5 million consumers. The price tag for that breach is currently around $700 million. And it’s all due to failure to patch a known vulnerability.
WannaCry affected more than 200,000 computers in 150 countries and created hundreds of millions (if not billions) of dollars in damage. However, Microsoft had released a patch that —if it had been applied— would’ve prevented the vulnerability that made WannaCry possible. To be clear, WannaCry’s ability to spread was due to organizations not patching or not updating older Windows systems that had gone beyond their end-of-life. Other than leaving a path of destruction, WannaCry highlighted to the world that “The patching and updating systems are broken, basically, in the private sector and in government agencies… There’s no assurance that even if the government reveals a vulnerability people are going to move quickly enough to make and apply the patch.”
NotPetya, one of the most damaging global cyberattacks in history, resulted in over $10 billion of damages. The attacks began in June of 2017, two months after Microsoft had released a patch which would’ve prevented the spread if it had been installed. That means, companies had had two months to update and install the patch that would’ve prevented NotPetya’s global damage.
Do As I Say, Not As I Do — A Lesson From Government
Part of staying up on patching is knowing what applications and systems you have, which is essential to knowing where you may have vulnerabilities. Keeping this kind of comprehensive list is not only helpful but a way to prevent overspending and —increasingly— a legal requirement.
One of the “more egregious shortcomings” revealed in a recent report —which also showed that federal departments were failing to maintain federally required lists of the applications and software they use— was that “six departments ‘failed to timely install security patches and other vulnerability remediation actions,’ … leaving hundreds of bugs unaddressed in their most critical systems.”
Not only are corporations not patching, but despite legislative requirements, even governmental departments are having difficulty keeping up with patching.
Breaches You Can Stop
A recent Ponemon Institute study found that only 49% of companies keep up to date on patching. “67 percent of respondents said they do not have neither the time or the resources to mitigate every bug which could be exploited to give attackers access to sensitive information, and 63 percent say that the ‘inability to act on a large number of resulting alerts and actions’ is a security problem.”
It may not be possible to prevent every kind of cyberattack, but it is essential to close open doors. Patching software is closing those open doors. Remember, a failure to patch is the primary cause of breaches.
Even though patching can be time consuming, the potential effort, cost, and losses associated with a breach make the effort worthwhile —and essential. Creating a patching schedule that works for your company is critical to good cyber hygiene. If your company needs help knowing where to start, a risk assessment will show where your potential vulnerabilities are. It will also show how to prioritize fixes and help create a plan of action for keeping systems secure.
It only takes one “device that isn’t fully updated to create a network entry point, putting the entire organization at risk.” Whether your organization chooses an internal team to handle patching or uses automated tools, patching needs to be a priority. Failure to patch known vulnerabilities is leaving a door wide open to malicious actors. Reduce your risk and avoid the breaches you know you can prevent: patch.