Patching: The forgotten hero

‘National Clean Up Your Computer Day’ is due to be celebrated this year on the 12th February. Not only is it a good occasion for organisations to remind their employees to carry out important computer maintenance that usually falls by the wayside, it is also an opportunity for businesses to make sure that they are conducting basic IT health checks.   

In fact, companies should take notice of this now more than ever as the cybercrime threat becomes increasingly dangerous. Not only did we see a huge amount of high profile hacks last year, including those which utilised weaponised malware, such as WannaCry and NotPetya, but according to recent research by the Online Trust Alliance, 160,000 cybersecurity incidents were reported in 2017, nearly double the 82,000 incidents that were reported in 2016. So far this year, multiple forms of new and manipulated malware have appeared, posing new threats to businesses. For example, Scarabey, a new version of the old Scarab ransomware, has surfaced. The bug threatens to delete 24 files every 24 hours until a ransom is paid in Bitcoin. 

The dire state of the security landscape means that businesses need to make sure they are taking cybersecurity seriously and making sure they implement necessary measures effectively.   

Getting Back to the Unsung Basics   

As organisations look to strengthen their cybersecurity statures in 2018, I recommend that they look to implement the basic security best practices that National Clean Up Your Computer Day looks to promote, beyond simplistic practices like wiping your computer screen down. While some businesses may have taken certain strides towards increased endpoint security in the wake of 2017’s devastating attacks by patching quickly and comprehensively, and demonstrating compliance with company policies, this still isn’t a priority for many companies. The OTA report mentioned above revealed that 93 percent of reported incidents could have been prevented by following basic security best practices, such as implementing patching software.   

All too often, organisations invest too much of their security budgets on a wide range of solutions that aren’t compatible as a whole, and don’t provide teams with a comprehensive picture of the risk environment. In many cases, this actually results in gaps being created as organisations juggle multiple vendors and solutions. A layered approach to cybersecurity is necessary in order to best protect against attacks, so organisations should cater for the basics as well as using more complicated solutions. So, while the humble patch may seem simple, it is arguably the forgotten hero that needs to be celebrated, and certainly implemented, this National Clean Up Your Computer Day.   

Software is inherently Vulnerable    

Patching is essential for the very simple reason that software is inherently vulnerable. It is easy to forget in this digital age that the hundreds of thousands of lines of code out there are all written by humans. Unfortunately, people aren’t perfect and often make mistakes, which means that no software is completely free of all errors or immune to cyberattacks. Furthermore, as software ages the more likely it is that vulnerabilities will be exposed and thus become vulnerable to exploitation.    

WannaCry illustrated that a lot of known vulnerabilities don’t get patched. Patching was available for supported Windows operating systems before and after WannaCry hit and Microsoft pushed an emergency patch for unsupported versions including XP, Vista, Windows 8, and Server 2003 and 2008 Editions. Despite this, it appeared organisations didn’t learn their lesson as a month later thousands of organisations globally became victims of the NotPetya attack, which also exploited vulnerabilities which had existing patches.   

IT health checks are crucial - just because a patch is available doesn’t always mean that it is being implemented correctly and this needs to change within all organisations. And with the annual average cost of cyberattacks per business valued at $11.7 million in 2017, organisations can’t afford not to carry out basic security maintenance that ensures that patches are being implemented properly.   

Automation Can Lighten the Load   

An unpatched hole is like an open window or an unlocked door to a hacker. This raises an important question: if patching is so essential, why did 93% of organisations who reported a security incident fail to properly implement cybersecurity basics last year? The problem with patching is that it is a long, wearisome process when done manually. Furthermore, organisations often forget that that programs and data hosted on virtual servers and in the cloud need to be patched, as well as physical devices. There is certainly a lot to think about to ensure that the job gets done correctly. 

This is why I suggest that organisations should look into automating their patching. This would ensure that systems are continuously scanned for missing patches and automated solutions can deploy patches where necessary and without human intervention. Cybersecurity teams would therefore have more time to dedicate to more proactive tasks, and can receive real-time reporting in order to remain informed, and compliant with the upcoming GDPR and NIS regulations which require full visibility into an organisation’s systems.   

So, this National Clean Up Your Computer Day, definitely do seize the opportunity to remind your employees to perform basic maintenance on their computers, for example make sure that unused and duplicated files and programs are deleted. But, even more importantly, I just want to hit home that you should take this opportunity to ensure that your cybersecurity basics are being implemented properly within your organisation to ensure that internal security is strong from the ground up. 

Chris Goettl, Director of Product Management, Security at Ivanti   

Image Credit: Eugenio Marongiu / Shutterstock