Poor Patch Management Still Plagues Cybersecurity

Organizations spend an average of 12 days more to patch flaws in 2019 as compared to last year, a new report on security vulnerability and patch management said.

This despite a noticeable increase in cybersecurity spending in 2019 on breach prevention, detection and remediation, according to ServiceNow’s report, entitled Today’s State of Vulnerability Response: Patch Work Requires Attention, which surveyed 3,000 security pros in nine countries. The study’s goal is to show organizations how to reduce time to respond to vulnerabilities.

ServiceNow: Patch Management Research Findings

Why the delay in vulnerability and patch management? Data silos and poor organizational coordination impede timely and effective patching. The answer: Enterprises need to prioritize more effective and efficient security vulnerability fixes.

Compounding the problem is the security landscape is getting worse, ServiceNow, a Santa Clara, CA-based digital workflow specialist, said. According to the study’s findings, cyber attacks increased by 17 percent from 2018 with 60 percent of breaches linked to a vulnerability where a patch was available but not applied. On average, it takes 16 days to patch a critical vulnerability after it has been detected, underscoring the need for faster, more targeted responses aimed at critical patches and likely breach targets, the company said.

In the research, ServiceNow compared 2019’s findings to last year’s data.

Here are some key data from the survey:

On costs, downtime, staffing:

  • 24% increase in weekly costs spent on patching compared to 2018, averaging $1.4 million per year.
  • 30% more downtime vs. 2018, due to delays in patching vulnerabilities.
  • 69% plan to hire an average of five staff members dedicated to patching in the next year at an average cost of $650,000 annually for each organization.
  • 88% said they must engage with other departments across their organizations.

On increasing cyber attacks:

  • 17% increase in the volume of cyber attacks compared to 2018.
  • 27% increase in cyber attack severity compared to 2018.
  • 50% noted a shorter window of time to patch before a vulnerability is successfully attacked over the last two years.

On patching effectiveness:

  • 77% believe they do not have enough resources to keep up with the volume of patches.
  • 76% noted the lack of a common view of applications and assets across security and IT teams.
  • 74% said they cannot take critical applications and systems offline to patch them quickly.
  • 72% said it is difficult to prioritize what needs to be patched.

On automation:

  • 80% who employ automation techniques said they respond to vulnerabilities in a shorter time frame through automation.

On ServiceNow’s conclusions:

  • Automation delivers a significant payoff in terms of being able to respond quickly and effectively to vulnerabilities.
  • Organizations that have achieved a high maturity in their vulnerability processes are most likely to have adequate staffing and other resources to patch in a timely manner.

“Companies saw a 30 percent increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands,” said Sean Convery, ServiceNow's security and risk general manager. He called the study a “wakeup call” for chief information officers and chief information security officers. “Many organizations have the motivation to address this challenge but struggle to effectively leverage their resources for more impactful vulnerability management,” Convery said. “Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.