A study conducted by managed security service provider Activis, a UK subsidiary of the German company, Articon-Integralis, found that security managers at a company with an IT infrastructure comprising eight firewalls and nine servers would have had to make 1,315 updates to those systems in the past nine months alone; the equivalent of five updates per working day.
That number is based on the total number of updates and patches released during that period by some of the major software and security vendors.
John Cheney, managing director of Activis, said the study looked at a typical configuration used by most companies. These included Microsoft's NT Servers, SQL Server and Exchange, Checkpoint Software Technologies's firewall products, Sophos's antivirus applications and Internet Security Systems's RealSecure network and server scanners.
Although most software vendors advise companies to install every patch that is issued, Cheney observed that it was unrealistic to expect an organisation using hundreds of servers to update every server with every new patch.
If installing patches and updating systems for security vulnerabilities overwhelms IT managers, Cheney recommended that they start with public-facing systems such as Internet sites and Web portals.
And while companies like Microsoft have addressed the problem of patch management by releasing automated tools, Cheney said that automated installation and downtime related to rebooting servers after the installation of patches are still major challenges for the security industry.