Some 53% of 500 chief information security officers polled in the UK, Germany and the US say crisis patch management is a major disruption for their IT and security teams.
Enterprises have to issue an emergency patch five times a month on average, and each crisis patch takes an average of 13 man-hours to fix, according to the survey by security firm Bromium.
The survey also revealed that 53% of businesses have had to pay overtime, or bring in a third-party issues response team, to issue patches or fire-fight a security issue in the past year, at a cost of $19,908 (£15,480) per patch.
“We can see with the recent WannaCry outbreak – where an emergency patch was issued to stop the spread of the worm – that enterprises are still having to paper over the cracks in order to secure their systems,” said Simon Crosby, Bromium chief technology officer and co-founder.
“The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences.”
WannaCry is not an isolated case, said Crosby. “As ransomware and polymorphic malware become increasingly sophisticated and difficult to defend against, we are going to see many more emergency patches become a crisis – although, sadly, they will often be too late,” he said.
Verizon’s 2017 Data Breach Investigations Report shows there has been a 50% rise in ransomware in the past year. Also, a recent Webroot report showed that 97% of malware infections are polymorphic. As such, it is often too late for most to wait around for a patch, even if the organisation is fast enough to issue the patch right away.
This issue is compounded by the fact that many enterprises are still tied to legacy systems. Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, according to Kaspersky Lab, while Statcounter said Windows 7 is also the most popular version of Microsoft’s operating system, accounting for almost half (46%) of Windows computers.
Yet reasons for failing to upgrade can be multifaceted – further research shows that 40% of enterprise software is paid for, but sits unused. This is largely because upgrades are often costly, complex, disruptive and, in some instances, unachievable because of application dependencies.
Read more about WannaCry
- Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
- Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
- A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
- WannaCry reveals some important facts about our dependence on the internet and IT.
After patching, security firms have been quick to advise customers to update operating systems, improve user education, and deploy better detection systems, but this advice often fails to chime with the reality of running IT for the enterprise, according to Bromium.
“WannaCry has certainly put a spotlight on a problem that has plagued enterprises for years,” said Crosby. “It is simply impractical to expect enterprise organisations to continually upgrade. Even when they have licences, the actual deployment creates huge disruption, or in some instances would require an entire hardware refresh and result in huge upfront capital costs.
“This is why so many businesses with enterprise agreements still do not upgrade. We need to accept and understand that enterprises are not in a position to constantly patch and upgrade, and apply security that meets the needs of the real world, not the ideal one.”
According to Crosby, micro-virtualisation, whereby individual web pages, documents and workloads can be performed in isolated containers, is the only practical solution to this problem.
Bromium and Glasswall Solutions are examples of security suppliers that are developing technologies with end-users in mind. The technologies are designed to enable employees to work without worrying about being tricked into triggering a malware infection.
There is a groundswell of opinion that end-users cannot be expected to spot well-crafted social engineering attacks designed to trick them into clicking on malicious links and attachments.
Bromium uses uses micro-virtualisation technology to ensure that whatever a user clicks on launches only within its own virtual machine or micro-VM so that any malicious code is not passed on to the main IT environment. Glasswall’s software is designed to strip out malicious documents and links before they ever reach employees by breaking documents down to byte level and passing on only the “known good” as defined by manufacturers’ file format standards.