A survey of 252 security and IT professionals published today finds more than three quarters of respondents (77%) require more than a week to apply a patch to software running in an IT environment.
Conducted by Demand Metric on behalf of Adaptiva, a provider of a platform for automating patch management, nearly two thirds of respondents (64%) identified coordinating detection of vulnerabilities and their remediation efforts as their biggest patch management challenge.
Chaz Spahn, director of product management for Adaptiva, said IT teams are increasingly focused on patch management because the amount of time between when a vulnerability is discovered and when it might start to be exploited is now measured in minutes. In fact, the survey finds more than half of respondents (51%) report that patching has become a bigger issue than vulnerability detection. Nearly all (98%) said patching software disrupts their work by forcing them to reallocate resources.
Most of the survey respondents (79%) said they have already automated the distribution of application patches, and 57% of those who havenโt automated it plan to do so within the next year. However, they still require approval from IT operations (81%) or cybersecurity (79%) before deploying a patch. Only 44% said they also need the approval of the application owner.
There is, of course, always a chance that a patch might break an application, but tools that assess known issues with a patch are reducing those risks, said Spahn. IT teams can make more informed decisions about the level of disruption a patch might create, he added. On the plus side, itโs also becoming easier to roll back patches if there is a disruption, Spahn noted.
Thatโs critical because while downtime might adversely impact business operations, the risks associated with cyberattacks have increased sharply. A cyberattack that exploits a vulnerability in an application can easily open the door to a ransomware attack that prevents the organization from functioning at all, said Spahn.
Not every vulnerability discovered has the same level of risk, so IT teams need to still judiciously apply patches, but any time there is a disclosure of new type of zero-day vulnerabilities the race to patch applications is on. Cybercriminals have clearly shown they have the tools to create exploits of some vulnerabilities in a few hours after initial disclosure. The rise of artificial intelligence (AI) is only going to make it simpler to create those exploits.
IT organizations will need to continue to assess the risks of deploying a patch, but automating an update to, for example, an operating system is generally less risky than patching application software that tends to have a lot of dependencies between software components that are often not easily discernible. There will, naturally, always be some level of risk, so monitoring the impact of a patch remains critical.
The one thing that is certain is that while successfully applying a patch may not be noticed, just about everyone in the company will hear about any patch that takes down an application; so IT teams, as always, need to be as prudent as possible.
