Bromium has published the findings of an independent survey of 500 CISOs from Germany, UK and US into the cost and frequency of crisis patch management. The research shows that companies are struggling to maintain emergency patch cycles, despite the fact enterprise reliance on legacy systems often mean emergency patches are an everyday fact of life.
Key findings of the research show that:
- Over half (53%) of CISOs say crisis patch management is a major disruption to their IT and security teams
- Enterprises have to issue an emergency patch on average 5 times per month, with each crisis patch taking an average of 13 man hours to fix
- 53% of businesses have had to pay overtime, or bring in a third party issues response team, to issue patches or fire-fight a security issue in the past year, at a cost of $19,908 per patch
“We can see with the recent WannaCry outbreak – where an emergency patch was issued to stop the spread of the worm – that enterprises are still having to paper over the cracks in order to secure their systems,” said Simon Crosby, Bromium CTO and co-founder. “The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences. WannaCry certainly isn’t an isolated case and as ransomware and polymorphic malware become increasingly sophisticated and difficult to defend against, we are going to see many more emergency patches become a crisis – although, sadly, they will often be too late.”
Verizon’s recent Data Breach Investigations Report showed there has been a 50% rise in ransomware compared to last year. In addition, a recent Webroot report showed that 97% of malware infections are polymorphic – as such, it is often too late for most to wait around for a patch, even if the organization is fast enough to issue the patch right away.
This issue is compounded by the fact many enterprises are still tied to legacy systems. Windows 7 was reportedly the system that was worst hit by WannaCry and according to Statcounter, it is also the most popular version of Microsoft’s operating system, accounting for almost half (46%) of Windows computers. Yet reasons for failing to upgrade can be multifaceted – further research shows that 40 percent of enterprise software is paid for but sits unused; this is largely because upgrades are often costly, complex, disruptive and in some instances, unachievable , due to application dependencies.
Many security firms have been quick to advise customers about everything from OS upgrades, to better education for users, to putting in more detection capabilities. Still this advice often fails to chime with the reality of running IT for the enterprise.
“WannaCry has certainly shined a spotlight on a problem that has plagued enterprises for years. It is simply impractical to expect enterprise organisations to continually upgrade – even when they have licences, the actual deployment creates huge disruption, or in some instances would require an entire hardware refresh and result in huge upfront capital costs,” Crosby continues. “This is why so many businesses with enterprise agreements that still do not upgrade. We need to accept and understand that enterprises are not in a position to constantly patch and upgrade, and apply security that meets the needs of the real world, not the ideal one. Micro-virtualization, whereby individual web pages, documents and workloads can be performed in isolated containers, is the only practical solution to address this problem.”