A resounding majority (71%) of IT and security professionals found patching to be overly complex, cumbersome, and time consuming, according to a survey by Ivanti, the automation platform that discovers, manages, secures, and services IT assets from cloud to edge.
In fact, 57% of respondents stated that remote work has increased the complexity and scale of patch management.
Today’s speed of business has shifted user expectations with new impacts on IT. And the rapid shift to remote work has accelerated digital transformation by seven years. In the Everywhere Workplace, employees connect with various devices to access corporate networks, data, and services as they work and collaborate from new and different locations, so patching has never been more challenging. In fact, unpatched vulnerabilities remain one of the most common points of infiltration for ransomware attacks, which have increased in frequency and impact to businesses of all sizes.
The WannaCry ransomware attack, which encrypted an estimated 200,000 computers in 150 countries, remains a prime example of the severe repercussions that can occur when patches are not promptly applied. A patch for the vulnerability exploited by the ransomware had existed for several months before the initial attack, yet many organizations failed to implement it. And even now, four years later, two-thirds of companies still haven’t patched their systems. Yet organizations around the world are still being targeted by WannaCry ransomware attacks; there was a 53% increase in the number of organizations affected with WannaCry ransomware from January to March 2021.
Patching to mitigate vulnerability exposure and ransomware susceptibility is contending with resource challenges and business reliability concerns. 62% of respondents said that patching often takes a back seat to their other tasks, and 60% said that patching causes workflow disruption to users.
In addition, 61% of IT and security professionals said that line of business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down. At the same time, the speed of vulnerability weaponization continues to increase. It’s the perfect storm of poor visibility due to the recently decentralized workforce and the growth of sophisticated threat actors targeting critical vulnerabilities.
As threat actors are maturing their tactics and weaponizing vulnerabilities, especially those with remote code execution, organizations are struggling with attack surface risk and ways to accelerate patch and remediation actions. IT and security teams simply cannot respond fast enough; 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time, followed by issuing resolutions for failed patches (19%), testing patches (15%), and coordinating with other departments (10%).
The myriad of challenges that IT and security teams face when it comes to patching may be why 49% of respondents believe their company’s current patch management protocols fail to effectively mitigate risk.
Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti, said: “These results come at a time when IT and security teams are dealing with the challenges of the Everywhere Workplace, in which workforces are more distributed than ever before, and ransomware attacks are intensifying and impacting economies and governments. Most organizations do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit. The good news is that the combination of risk-based vulnerability prioritization and automated patch intelligence can bring to light vulnerabilities that are being actively exploited and have ties to ransomware. With unique patch reliability, IT and security teams can seamlessly deploy patches, and solve for common challenges that are putting organizations at risk.”
Top industry leaders, practitioners, and analyst firms recommend a risk-based approach to identify and prioritize vulnerability weaknesses and then accelerate remediation. The White House recently released a memo encouraging organizations to use a risk-based assessment strategy to drive patch management and bolster cybersecurity against ransomware attacks. Furthermore, Gartner listed risk-based vulnerability management as a top security project that security and risk management professionals should focus on in 2021 to drive business value and reduce risk.
Ivanti surveyed over 500 enterprise IT and security professionals across North America and EMEA.