Companies struggle with patching priorities


19 Apr 2006

Too many businesses lack a clear strategy for applying software patches and this results in wasted resources and a lack of understanding about their real exposure to IT security risks, warned McAfee.

Businesses across Europe are struggling to cope with the number of patches issued every year and the need to protect ever-expanding IT networks. Compounding the problem is that many IT managers lack the data to determine whether patches need to be installed urgently, said Greg Day, security analyst with McAfee.

He pointed out that Microsoft issued 55 patches last year but only one of the vulnerabilities it addressed was actually used to exploit systems. As a result, businesses may have spent time and money unnecessarily, Day claimed. Research commissioned by McAfee found that 58pc of European businesses did not know how much it cost them to deploy patches.

Day added that it is unclear whether businesses are gauging the extent of the threat to their organisation as a result of a particular vulnerability. ‘We are in a bit of a knee-jerk reaction era with patch management,” he told siliconrepublic.com. “As soon as the IT manager sees a vulnerability, he’s got to do something about it. The problem is that’s an expensive process. Businesses are struggling with whether the value of installing patches outweighs the cost of not doing them?”

The McAfee study, conducted by Ipsos Research, surveyed more than 600 senior IT decision makers at companies with more than 250 employees across Europe. The top-line findings reveal that more than a third (36pc) of European businesses have no idea how many patches they applied to their business in a six-month period. One fifth of European IT professionals spend an hour or more a day researching vulnerabilities and patches and close to half (45pc) of those polled said they do not prioritise which areas of the business are patched first.

More than a quarter (27pc) of those questioned say it takes 48 hours or more from the time a patch is issued to the IT infrastructure being fully protected from that vulnerability. One in five (19pc) said it takes up to a week or more.

“At the end of the day, deploying a patch is a good thing: you’re keeping your systems up to date. But what businesses need to do is to look at the risk: whether to patch immediately or on a monthly or even a quarterly cycle,” said Day. “It’s a simple tradeoff: how much money does this save me versus how much money does this cost me?”

Many organisations, having been ‘bitten’ by other infections in the past, rush to react but Day advised taking a more measured response. For example, using vulnerability assessment tools could help a business to calculate a risk value and to assign a weighting or score to particular attacks so that they can better assess the likely impact, if any, of a newly announced vulnerability.

In addition, companies could also mitigate the need for ad hoc patching by installing intrusion-prevention systems which perform constant checking for potential breaches. “It’s like having a small army of security guards monitoring the facilities,” he said. “A more effective way of spending money is to understand what the problem means to you and be proactive so you don’t have to react all the time.”

By Gordon Smith