If you google a phrase like “top cybersecurity risks of this year,” you’ll find lists suggesting that attacks on connected devices, mobile devices that expose personal and corporate data and continuously evolving ransomware are among the most serious security challenges businesses face today.
If you read between the lines, you’ll notice that there’s a common theme underlying all of these threats: unpatched software.
After all, vulnerable, unpatched software is often the very thing that allows attackers to compromise devices or plant ransomware. Although there are other methods, like social engineering, that threat actors can use to bypass defenses, the simplest plan of attack is often to exploit known vulnerabilities in software that businesses have failed to update.
In fact, 60 percent of system administrators report either having no patching solution in place for third-party apps they manage or being unsure how their software is patched.
The good news? This is a challenge businesses can solve easily enough.
Doing so requires an understanding of why software patching practices are so fraught at many organizations and what solutions are available to help close the gaps and implement a comprehensive, systematic approach to patching.
Tips for Software Patching
- Deploy an automatic solution for vulnerability detection and patching.
- Run patches overnight to avoid disturbing your organization’s workflow.
- Integrate your patching solution with the endpoint management tools sysadmins use to track devices connected to their networks.
Challenges of Software Patching
Most sysadmins, or system administrators, know that they should install software patches. In addition to providing bug fixes, patches remediate critical security vulnerabilities.
Since many of those vulnerabilities are detailed in publicly available databases, it’s easy for the bad guys to take advantage of security risks when organizations don’t install updates.
That said, ensuring that all applications are up-to-date based on the latest available patches can be deeply challenging for modern sysadmins for several reasons.
Overwhelming Volume of Updates
One obstacle is the sheer volume of applications and patches that admins have to contend with. Some of the enterprises my company helps support have as many as 6,000 distinct applications when accounting for localization running within their networks.
Each application vendor releases patches on a different schedule, and dozens or hundreds of new patches may appear on any given day. It’s easy to understand why sysadmins may overlook critical patches, especially if they have not implemented an automated, centralized way to track patching status and install available updates.
Insecure Remote Networks
Remote work also complicates software patching.
When many of the devices that employees use — and that host sensitive applications and data themselves, or connect over the corporate network to sensitive resources — are not physically present on premises that the company controls, it becomes harder to ensure the devices are always up-to-date with the latest software patches.
Lack of Resources
The fact that sysadmins have lots of other responsibilities to manage beyond patching can also contribute to patching difficulties.
Many teams are stretched thin, especially in the current era of hiring freezes and staffing reductions. Even when admins are aware that critical vulnerabilities are not patched, they may lack the staff resources to address the issue right away.
Benefits of Patching
Despite these challenges, patching remains one of the most basic and cost-effective steps an organization can take to tame cybersecurity threats. Installing patches takes little time, especially when teams automate the process.
The cost of a cybersecurity breach averaged $4.45 million in 2023. By comparison, a centralized, automated software patching tool typically costs just dollars per year per endpoint.
Even at large companies with tens of thousands of devices, the total expense of patching is far lower than the cost of a breach.
Patching is also one of the simplest steps an organization can take to reduce cybersecurity threats. It’s much easier than parsing reams of threat intelligence to anticipate what attackers are trying to do, or deploying complex security analytics tools to detect threats.
Organizations should do those things, too, to maximize the strength of their security defenses. But comparatively, systematic patching is a much easier practice to implement, and it plays at least as critical a role in reducing the chances of a breach.
How to Patch Effectively
How can businesses solve these challenges and ensure their software is routinely patched?
It starts with deploying a solution that can automatically detect which applications are running on a business’s devices and network — including any devices connected from remote locations — then identify which patches are available for the apps. From there, the software should automatically deploy patches as soon as they become available.
Additional considerations include the ability to decide exactly when patches are installed by, for example, deploying non-critical updates overnight. This minimizes the chances of disrupting employee productivity with patches.
Integration with the endpoint management tools sysadmins use to track the devices connected to their networks helps streamline patching, too, by making it easy to identify the patching status of each endpoint.
Close the Door to Cybercrime With Automation
No matter how you approach patching, your main goal should be to avoid a manual or ad hoc approach.
Manually finding and installing patches worked well enough for organizations in the days when the volume of apps and updates was lower, and when most or all devices existed on-site. But those days are gone.
Today, sysadmins need centralized, automated patch detection and installation to close the gaps that open the door to ransomware, data exfiltration, device compromise and all other manner of attack.
