The security industry has a problem. Software suppliers work all hours to provide new patches and signatures, and then what happens? Users don't run updates, or one of the IT staff forgets to implement a patch, and something that should have been fixed becomes the latest vulnerability to be exploited.
For IT managers this is a constant source of frustration. But whether it is eating badly, not taking enough exercise, or continuing to smoke, whatever the health warnings say, it seems that not doing the right thing is basic human nature. We know the risks, we know what we should be doing, but it doesn't happen.
For IT staff trying to keep on top of security threats, things would be hard enough without these failings. But faced with the continuous stream of patches and updates, it seems to require superhuman diligence to ensure there are no gaps.
To tackle this, the first, most crucial step, is to face up to the problem. Your IT staff will have many claims on their time competing with patching systems. And as for the users, running virus updates is just one more task that they do not get around to, because it slows their PC down too much or because their laptop was at home when the update was scheduled.
Living with these human imperfections does not mean accepting a lower standard of security. Companies can do a lot to automate patching and updating. At its simplest, this can mean ensuring that automatic updates are set up correctly, such as Windows Update and anti-virus updates on PCs.
Central management of updates is another option, although there are limitations to how effective this can be. But it is a significant step forward, taking the responsibility for updating away from the end-user.
Patch management is time-consuming and can be vulnerable to manual errors. Patch management software can help, but ultimately the whole process is flawed. Even if you are completely up to date, patches may be released too late, or they can create new problems when installed.
It is time for suppliers to take responsibility for their business users' protection. The only way to guarantee this is for the supplier to remotely manage the updating and configuration of their products over the internet, though a direct connection with their users. The current solution offered by many suppliers - requiring users to download patches from an internet site - is still too much of a hassle.
Only when suppliers stop expecting users to do what is really the supplier's job will protection improve - and updates will happen 24x7 whether the IT guy is at his desk or not. It is technically possible now, and cost-effective solutions exist for all sizes of organisation - the more suppliers that take this route, the lower the risk of security breaches will be.
Mike Fenton is director of managed internet security supplier Network Box
This was first published in June 2004