When it comes to data security, we hear a lot about how cyber attackers are becoming more sophisticated or that cloud technology is full of risks. While these statements are true to some extent, both can be convenient excuses hiding a harsher truth. Today, neglect is actually one of the biggest threats to corporate data.
According to the 2015 Cyber Risk Report from HP Security Research, all nine of the most dangerous enterprise vulnerabilities detected in the wild were more than three years old. US-CERT found similar aging in its study of the 30 most-targeted network exploits. All told, US-CERT estimates that 85 percent of network attacks are preventable.
A simple security patch would have sufficed in most cases — and for these bugs in particular, patches have been available for years. Were security professionals so negligent in applying updates because of apathy, or worse? Maybe not. Maybe there’s a deeper problem throughout the industry that needs to be addressed.
Why is this happening? Lazy security professionals would be the convenient answer, but it’s also inaccurate. Vendors often fail to communicate when patches are available, and what their expected impact will be. Worse, too many patches arrive with unwanted bloatware that does more harm than good.
When Patching Becomes A Risk
Consider Microsoft, which last year released six patches that immediately caused problems for users. Apple and Oracle had similar issues over the same period. In Oracle’s case, an August 2014 update to Java broke third-party applications, forcing the company to reissue the patch. For Apple, an iOS update released in September crippled several iPhone functions, including the ability for some users to make calls.
It’s tough to blame CIOs and security leaders for remaining cautious when well-intentioned patches unleash unintended — and nasty — consequences.
Yet manual patching isn’t the answer. Multiply the hours it takes to patch a system by the number of systems affected by the rate of the consultants you’ve hired to do the job, and even mid-size enterprises will find themselves spending hundreds of thousands of dollars for just one patch. IT neglect seems like the better choice when the alternative is shuttering operations.
Automation has to be part of the answer when it comes to patching fast-growing IT infrastructures. Regular auditing is also needed to find and fix break points introduced with systemized updates. Anything less is unacceptable when you consider how damaging breaches have become.
Risk Versus Reward
Just recently, Polish airline LOT suffered an attack that literally grounded 1,400 passengers. Furthermore, the recent hack of the Office of Personnel Management exposed highly personal background information of millions of current and past federal employees — including mine. The Sony document leak — while reputationally damaging — looks tame by comparison.
To be fair, we don’t yet know which network holes these organizations left unplugged, but old exploits should have no chance against a self-healing IT platform that’s constantly applying the latest patches. That most security isn’t being implemented and managed this way is a serious problem with geometric consequences.
Think about the size of your business. Now consider how many devices each employee plugs in to your network. For any given individual in your organization, it’s going to be at least two (i.e., a computer and a smartphone) and will often be three (i.e., a computer, a smartphone and a tablet). Every one of those devices is a node, and every node is a potential entry point for an attacker. Broad scale and timely action in cybersecurity is crucial for providing real protection to the underlying network.
Yet our actions run to the contrary: Many CIOs and security leaders appear to have made the deliberate decision to avoid automatic patching updates for fear of the consequences of not having direct control over how new software makes its way into infrastructures. For vendors, it should be a reflection of how badly they’ve breached trust in the patching process.
Earning back the trust of users — their direct customers — won’t be easy, but it’s essential if software vendors are to restore faith in automatic updates.
Key to this is the open and transparent communication of patches and their impact. Customers must be told when patches are available, what the patches do and what implications they may have. When problems arise, vendors should be equally clear about what is happening and offer workarounds to those affected.
In short, vendors need to approach the communications surrounding security patches as a matter of customer protections rather than public relations.