Unpatched software leaves businesses open to attack

There seems to be a system or piece of software for everything nowadays – from apps that let you explore internet browsers in virtual reality to software that can help improve your speech, technology is helping push the boundaries of what can be achieved both inside and outside of the workplace.

But while every business, on the face of it at least, is happy to acquire new systems and applications to drive productivity and reduce costs, far too few update these systems and/or software on a regular basis to ensure security. The “gold standard” for the implementation of critical patches is 30 days, and 90 days for non-critical patches, although that’s still more than enough time for cyber criminals to do damage.

Often, these businesses have bespoke systems and/or software applications that are set up in a certain way and only work with specific versions of software. A lack of updates to the system/software infrastructure could result in critical parts of it not working.

Businesses cannot afford to adopt an approach of “if it’s not broken, don’t fix it”. The fact is that outdated systems and third-party applications often have a host of vulnerabilities, and ignoring software updates could prove to be a grave mistake.

Cybercriminals target software and system vulnerabilities

The majority of impactful cyberattacks often have one thing in common: they target known vulnerabilities in systems and third-party software. WannaCry and the Equifax and BA hacks are all high-profile examples of successful attacks on unpatched systems.

But these cases also have something else in common: each one could have been avoided. Software updates and patches were released before the attacks took place, and the only reason that so many businesses fell victim to these cyberattacks is because they neglected to download, run and install them.

In the case of WannaCry, an investigation by the National Audit Office discovered that the NHS had repeatedly been warned to migrate away from its dated systems – and that “basic IT security” was all that was required to prevent the “unsophisticated” WannaCry attack.

The same applies to the Equifax with an out of date version of Apache on their webserver, and BA who had not updated a cross-site scripting vulnerability.

Without a doubt, the fundamental issue is that many businesses mistakenly believe themselves to be secure because they have advanced cyber security and intrusion detection solutions in place.

But cybersecurity is only as good as its weakest link. If a business uses outdated systems or software, endpoints are left vulnerable and can be readily compromised by a cybercriminal with very little working knowledge.

Businesses face a multi-faceted challenge in the form of patch management

Indeed, the management of system software updates and patches has become a serious challenge for modern organisations. As the technology landscape has evolved and diversified, businesses now use a variety of systems and third-party applications to manage and enhance processes. Updating infrastructure is no longer a simple button press on an operating system – it’s a business-wide decision that affects all existing activities.

For many businesses, and large enterprises in particular, updating their technology stacks often means stopping critical operations for a day or two as system software updates and patches are downloaded, installed and configured. And as their infrastructure is incredibly intricate, any update or change could result in key bits of software malfunctioning.

Subsequently the patch management process becomes time-consuming, and businesses face the difficult decision of taking crucial elements of their infrastructure offline for updates and maintenance. Neglecting these updates is akin to someone leaving their front door open and windows unlocked, but many businesses simply cannot afford to take their activities offline for even a minute.

Manage software and system updates through automated patch solutions

For businesses with this kind of complex infrastructure, it’s easy to understand why updates and patches are pushed further and further back. Installing a patch as soon as it’s available is best practice, but that kind of agility can only really be applied to a small business with limited systems and software or a single user.

Basic operating system updates can (and should) be applied as and when they are available. But for more bespoke in-house systems, which are connected to a suite of tools, a more considered approach is necessary.

Fortunately, businesses can readily manage and update their systems and third-party software infrastructure through automated patch management solutions.

Automated patch management does exactly what it says on the tin: it analyses software and systems in use to determine whether patches and/or updates are available and downloads them. These patches and/or updates are acquired in the background and can be installed at a specified time.

Panda Patch Management, a module of Panda Adaptive Defense, manages vulnerabilities – outdated systems and third-party software – and their corresponding updates and patches. Full visibility of endpoint health, i.e. whether systems or software is outdated and patch status, is provided in real time and across the enterprise.

The solution also correlates detected and identified threats with uncovered vulnerabilities to minimise response time and contain and remediate attacks through automated patch application. This kind of patch management allows businesses to get ahead of software vulnerability exploit attacks, enhance endpoint security and reduce attack vectors.

Businesses cannot afford to overlook or avoid patching and updating software infrastructure. Cybercriminals are banking on businesses not updating or patching their systems or software so that they can exploit vulnerabilities and deal damage. If an update is available, it should be applied at the earliest and most practical opportunity.

If you want to find out more about Panda Patch Management and how it can ensure that your business remains protected, click here.