For organisations, there is an increasing desire to improve cybersecurity but there is much debate over which areas require the greatest focus. RSA’s Art Coviello said, “There is too much spending on the wrong things. Security strategies have been driven and sold on fear and compliance issues with spending on perceived rather than genuine threats”. As a result of false information, organisations are left confused about which advice to follow for the best protection. One example of a cybersecurity fallacy is the claim that unpatched systems exposing known vulnerabilities will welcome attacks.
Exploring this claim
Patch Management as a process involves correcting errors in your software by distributing and applying updates or ‘patches’ to protect against threat actors looking to exploit these areas. Applications and operating systems are among the most common areas that require patching. Some experts claim that patch management should be an organisation’s top priority. This is to ensure that errors or vulnerabilities in the system are identified and fixed. Threat actors are constantly looking for new patches and will work to exploit any underlying vulnerability. Patch management aims to ensures that software and network devices are up to date and are protected against threats.
Debunking this claim
In recent years, patch management has actually fallen out of focus; very few patch management companies are in operation because it isn’t part of the operating system as it once was. What organisations should deem crucial to their cybersecurity is vulnerability management as a whole. Patch management is only one piece of the puzzle. Other aspects of vulnerability management include network scanning (identifying users and devices connected to the network), prioritisation ( identifying which of the vulnerabilities could cause the greatest harm), verification (confirming that identified vulnerabilities are exploitable) and reporting (evaluating the process via analytics, data management and visualisation tools).
The reality is that organisations can patch their systems to their best ability but it still won’t be 100% effective.
“Even if organisations patch 80% of their estate, the tools used by threat actors are designed to find that 20% that has yet to be patched. With vulnerability management, your organisation will be better equipped to deal with these vulnerabilities.” said our CEO Etienne Greeff.
Here are three steps your organisation can take to improve your vulnerability management:
- Assess — Ensure that your organisation is regularly assessing the vulnerabilities in the system on a monthly basis.
- Organise — If you know you have areas that aren’t patched, make sure they aren’t all on a flat network. This way, if someone manages to compromise one area, they don’t have unfiltered access to the rest of the network.
- Prioritise — To avoid the greatest impact, you must understand the impact each vulnerability may have on your system. Your assessments may expose a number of vulnerabilities in your system and so it’s imperative that you are able to identify which one will have the most damaging impact and therefore requires immediate attention.
Ultimately, leaving vulnerabilities exposed could cost organisations both time and money. Whilst patching is of course still necessary to reduce attack surface, organisations need to understand that in today’s digitally transformed world there will always be a vulnerability in the system that they are unable to patch. Vulnerability management can help organisations to recognise these issues and adjust their operations to be able to do business with an acceptable amount of risk.
To find out how we can help you assess and manage your vulnerabilities, contact us here.