How to Close the Patch Gap

• A majority of cyberattack victims say their breaches could have been prevented by installing patches
• Most companies don’t have the resources to keep up with all the patches they need to install
• Companies can reduce the burden on staffers by automating the patch process

Updating software to install the latest security features sounds relatively easy if you’re talking about a laptop or a phone. You simply download an update, wait around for a little while, and the patch is applied with little to no effort on your part.

Patching enterprise software is vastly more complex and a growing risk for companies of almost every size and type. Unpatched business systems are a gold mine for hackers seeking to steal data or hold it hostage. It’s one of the main causes of what Accenture estimates were $21 billion in cybercrime‑related losses to U.S. companies in 2017.

An alarming 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch, according to a new ServiceNow study conducted by the Ponemon Institute. And 34% of those respondents were already aware of the vulnerability before they were attacked.

37% of breach victims don’t scan their networks and systems to see what they need to fix—a practice considered basic security hygiene. – Ponemon Institute study

The root problem, one that’s only getting worse, is what experts call a patching gap. Even though patches for software vulnerabilities are widely available, security and IT teams often lack sufficient knowledge or resources to keep up with them. One primary cause: 37% of breach victims don’t scan their networks and systems to see what they need to fix—a practice considered basic security hygiene.

The situation is so dire, there’s a term for it. “Patch regrets” are widespread among security professionals who know that patching would have saved them some grief.

Get smart

The patching process isn’t as easy as clicking on an install button, explains Greg White, director of the Center for Infrastructure Assurance and Security at the University of Texas San Antonio.

“You don’t patch systems immediately,” White says. “You test a patch to see if systems act adversely with it. If that happens, you have a critical piece of software that no longer works.” If the patch can’t eliminate the vulnerability, security teams need to find another solution.

64% of security professionals say they’re trying to hire dedicated resources for patching over the next 12 months – Ponemon Institute study

Compounding the problem is a shortage of qualified personnel who can sort out which patches are high priority and which ones can wait their turn. “Security teams are overwhelmed,” says Piero DePaoli, senior director of product marketing of security operations for ServiceNow. That’s one reason why security organizations are increasing headcount to close the gap: 64% of security professionals say they’re trying to hire dedicated resources for patching over the next 12 months, according to the survey.

Read the full article on ServiceNow’s Workflow site.

To learn more, visit ServiceNow’s website dedicated to CIOs and education about the benefits of machine learning.