As we near the end of 2014, we can definitively say it’s not been a great year for online security. Heartbleed and Shellshock were just the tip of the iceberg. WordPress is by far the most popular content management on the web, and the WordPress security company Sucuri has had a fruitful year mining it for vulnerabilities — there were lots. Big companies like Target and Sony took serious hits, and the pitter-patter of smaller attacks echoed throughout the year. It’s the same every year, of course: there will probably always be vulnerabilities in software, but 2014 was the year the mainstream media really took notice of online security, and in their hyperbolic and less than accurate way, let the world know what is common knowledge among security researchers and software developers.
Given all of that, you’d think businesses would have gotten the message: security is a business critical issue. But, according to the recent 2014 State of Risk Report from Trustwave, 58 percent of businesses still don’t have a mature patch management strategy and 12 percent have no patch management strategy at all.
The survey carried out over 16 months and included 476 CIOs, CTOs, IT managers and network administrators from over 50 countries.
Given that all software of sufficient complexity is likely to contain vulnerabilities, and that online criminals are more motivated than ever to find them, patching is of critical importance. It’s not over-the-top to say that white hat researchers and software developers are engaged in a permanent struggle with attackers. Patches are the most important weapon that the good guys have in that fight. Failing to properly manage patching of business software is tantamount to leaving the door open, and in the current climate, if you’re not patched, you’re almost certainly going to be hacked.
It’s understandable that in lean times, companies cut back on online security and concentrate their resources on front-line revenue generation, but in many ways, that’s a false economy. As the importance of online business grows, failing to patch is increasingly likely to have direct cost implications.
For a small site owner, patching might be a simple as keeping a WordPress or Magento installation upgraded (and even that is frequently neglected). But for larger companies with more complex networks and more interacting services, it becomes crucial to have complete insight into exactly what software they are running and develop a comprehensive patch management strategy that accounts for all potential risks.
As IT deployments grow in complexity, it becomes ever more necessary to develop protocols and policies for keeping all potentially vulnerable software up-to-date and patched, and to do that with any efficiency and reliability requires a thorough knowledge of a company’s potential exposure. A piecemeal upgrade strategy no longer cuts it.