Patching must prioritise vulnerabilities

Sheila Zabeu -

October 21, 2021

Installing patches is still a very complex and time-consuming process for a large majority (71%) of IT and cybersecurity professionals. In addition, 57% of respondents said that remote working has increased the complexity and scale of patch management, the results of a recent survey revealed.

The current business speed and the intense shift to remote working have accelerated digital transformation by seven years, the study finds. Employees access corporate networks, data, and services from multiple devices and different locations. As a result, patching has never been more challenging. On the other hand, unpatched vulnerabilities remain one of the most common points of infiltration and ransomware attacks, meaning we have an alarming scenario, because the more vulnerabilities remain unpatched, the more companies of all industries and sizes are exposed to risk.

For 62% of respondents, patching to reduce vulnerability exposure lags behind other tasks due to lack of resources. Many companies lack cybersecurity experts or lack the time to gather intelligence so that they can link active threats to unpatched vulnerabilities-in other words, create a risk-based threat context.

In addition, 60% said the patching process causes disruptions to user workflow. What’s more, 61 percent of IT and cybersecurity professionals said that business leaders ask them to make exceptions or postpone maintenance windows once a quarter because systems can’t afford to be down. Another 28 percent said they receive such requests once a month. Many business leaders do not realize that vulnerabilities used as a weapon of intrusion continue to grow.

The study also highlighted that IT and cybersecurity teams are failing to devise plans to respond to attacks quickly enough. More than half (53%) reported that organizing and prioritizing critical vulnerabilities consumes the most time, followed by resolving failed patches (19%), patch testing (15%), and coordinating with other departments (10%). The challenges faced when it comes to patching may be why 49% of respondents believe their companies’ current patch management protocols fall short in terms of effective risk mitigation.

To overcome these challenges, industry leaders, experts and analysts recommend a risk-based approach to identify and prioritize vulnerabilities and then accelerate the patching process. The White House recently released a memo encouraging, among other actions, the use of risk-based assessment strategies in patch management. Gartner has also listed this vulnerability prioritization methodology as one of the important elements of well-designed cybersecurity projects.

“Precious time can be spent analyzing possibilities in search of the notion of perfect protection that simply doesn’t exist. We must improve the resilience of organizations through innovative approaches to detection and response, and ultimately recovery from cybersecurity incidents,” says Brian Reed, senior analyst at Gartner.

Gartner’s recommendation on patching is not to try to patch everything and to focus on vulnerabilities that are actually exploitable. Go beyond mass evaluation and use intelligence to address threats, attacker activity, and criticality of internal assets to get a better view of real organizational risks.

The survey on patching was conducted by Ivanti, a company that provides automation solutions to discover, manage and protect IT assets from cloud to edge. More than 500 IT and cybersecurity professionals in North America and the EMEA region were surveyed.