Many UK businesses are struggling to manage the risks posed by software security vulnerabilities, with more than 20% of IT departments taking a week or more from the time of issue to install patches.
In addition, nearly 50% of firms have no accurate picture of how many patches they are applying across their systems, or how much the deployment of patches is costing their business.
The findings come from a pan-European survey, which was conducted by Ipsos Research for anti-virus supplier McAfee, of more than 600 senior IT decision makers in firms with more than 250 employees.
What emerged from the research was that many businesses had yet to take a strategic approach to patch management. However, many IT departments were beginning to apply themselves to the issue, with nearly 20% spending an hour or more per day researching vulnerabilities and patches to assess the risks posed.
Some 42% of those surveyed said they did not have a strategy in place to prioritise particular areas of the business for early patching. And nearly 20% admitted that they were not confident that their patch management processes were in compliance with international regulations.
Greg Day, a senior security analyst at McAfee, said, "Many firms do not know what patches mean to them. When assessing whether or not to deploy a patch, IT chiefs need to start asking themselves which parts of the business might need it most, and whether there is a better approach than blanket fire-fighting, which can be time-consuming and contribute to the lag between the issuing of patches and their deployment within the business."
Day said firms should also consider adopting other approaches to limit their vulnerability, such as deploying intrusion prevention systems, to buy themselves time to carry out vulnerability assessments of software flaws.