Let’s face it: patching is the cybersecurity equivalent of flossing. Everyone knows they should do it, but far too many skimp on this critical task. Despite the well-known dangers of unpatched software and rising zero-day threats, patching remains a glaring problem in the enterprise.
Recent research finds that just over half of Macs in the workplace remain unprotected by security updates. Worse, in some cases, vulnerabilities dating back five years are still being exploited due to the sorry state of patching.
None of this is a surprise to IT. They’re fully aware of the risks, the roadblocks, and what it takes to patch properly. Yet many are still fumbling with “but-but-but” excuses around compatibility issues and time crunches. Going forward, especially amidst increased cyber threats and remote work, this isn’t good enough.
Wake up, IT leaders. With the right management approach, there’s no reason you shouldn’t be patching like your company’s life depends on it – because, frankly, it does.
More vulnerabilities, more patches
Hackers are more active following the pandemic and show no signs of slowing. The number of threats registered by the public system for known information-security vulnerabilities, Common Vulnerabilities and Exposure (CVE), is expected to grow 25% this year. This equates to roughly 2,900 new vulnerabilities every month.
Concerningly, IT is often letting these threats come and go without action. About 45% of the CVEs reported last year remain unpatched, a big concern considering that such exploitable vulnerabilities are responsible for almost two-thirds of all data breaches. Of course, such breaches lead to a host of issues, including data loss, compliance complications, reputational damage, and lost productivity to name but a few.
The frustrating part is that IT has the tools to protect itself. For example, major tech corporations have become increasingly adept at acknowledging the existence of zero-day threats while simultaneously releasing fixes. Apple, Google, and Microsoft have consistently demonstrated this approach throughout 2024, releasing patches within days or even hours of discovering critical vulnerabilities. This proactive stance immediately transforms novel threats into known vulnerabilities with clear steps for remediation.
Therefore, IT does have the agency to fight back in this evermore dangerous climate. So, what’s the hold-up?
The patch problem for IT
Patching proves easier said than done due to three main factors. First, most leaders (70%) find it time-consuming. This is because there are various endpoints and each requires a watchful eye for respective updates. Then, applying patches can result in compatibility issues and end-user disruptions.
For example, most managers are afraid that applying security patches right after release could “break stuff.” This degree of difficulty is amped up if the company is running older software or hardware (which is sensitive to updates). Again, solving these problems takes valuable time.
Second, enterprise ecosystems are bigger than ever and only expanding in the age of bring-your-own-device and shadow IT. Testing and ensuring that patches are secure across this attack surface is a feat in and of itself. Further, if there are issues with the patch, rolling them back in a complex environment is essential.
Third, hacks and fixes are coming online at a rapid rate. Keeping up with every single patch can be overwhelming. Therefore, it’s up to IT to understand their patch priorities and move swiftly to close the most important security gaps for their business.
Getting patch management right
Yes, time and complexity present patch problems, but smart deployment and a unified approach offer patch solutions.
Good patch management starts with a wider vulnerability management program, ensuring that IT understands its assets and specific vulnerabilities. Then, set a strategy for implementing patches by establishing alerts and monitoring the big players for new releases. In the case of Apple, the company hosts a dedicated page with novel threats and security information.
Next, constantly check for holes. For example, tools like unified endpoint management can help achieve regular device audits, patch testing, and rollback plans. Likewise, centralized platforms like this can schedule auto-updates during non-business hours to patch with as little disruption as possible.
Finally, armed with a thorough understanding of the ecosystem, prioritize the patches of business importance. If there’s a zero-day patch for an operating system that’s fundamental to your day-to-day operations, implement this before fixing a software flaw that only impacts a smaller share of users. This streamlines patching and offers extra runway to ensure compatibility before deployment.
No patching ifs or buts
Patching isn’t easy but it also isn’t optional. Hackers bank on your team leaving the backdoor open. It’s up to you to take patching seriously and stop them.
In need of further convincing? This isn’t just about security. Done right, patch management can also deliver performance benefits, compliance assurances, and less business downtime.
The pros far outweigh the cons when it comes to patching in this cybersecurity climate. Ultimately, those who don’t act will only have themselves to blame if an unpatched threat becomes a larger (and more expensive) headache down the road. A little digital flossing goes a long way.
We’ve featured the best IT management tool.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro