Ivanti announced the results of a survey that found a resounding
majority (71%) of IT and security professionals found patching to be overly
complex, cumbersome, and time consuming. In fact, 57% of respondents stated
that remote work has increased the complexity and scale of patch management.
Today's
speed of business has shifted user expectations with new impacts on IT. And the
rapid shift to remote work has accelerated digital transformation by seven
years. In the Everywhere Workplace, employees connect with various devices to
access corporate networks, data, and services as they work and collaborate from
new and different locations, so patching has never been more challenging. In
fact, unpatched vulnerabilities remain one of the most common points of infiltration
for ransomware attacks, which have increased in frequency and impact to
businesses of all sizes.
The
WannaCry ransomware attack, which encrypted an estimated 200,000 computers in
150 countries, remains a prime example of the severe repercussions that can
occur when patches are not promptly applied. A patch for the vulnerability
exploited by the ransomware had existed for several months before the initial
attack, yet many organizations failed to implement it. And even now, four years
later, two-thirds of companies still haven't patched their systems. Yet organizations around
the world are still being targeted by WannaCry ransomware attacks; there was a 53% increase in the number of organizations affected with
WannaCry ransomware from January to March 2021.
Patching
to mitigate vulnerability exposure and ransomware susceptibility is contending
with resource challenges and business reliability concerns. 62% of respondents
said that patching often takes a back seat to their other tasks, and 60% said
that patching causes workflow disruption to users. In addition, 61% of IT and
security professionals said that line of business owners ask for exceptions or
push back maintenance windows once a quarter because their systems cannot be
brought down. At the same time, the speed of vulnerability weaponization
continues to increase. It's the perfect storm of poor visibility due to the
recently decentralized workforce and the growth of sophisticated threat actors targeting
critical vulnerabilities.
As
threat actors are maturing their tactics and weaponizing vulnerabilities,
especially those with remote code execution, organizations are struggling with
attack surface risk and ways to accelerate patch and remediation actions. IT
and security teams simply cannot respond fast enough; 53% said that organizing
and prioritizing critical vulnerabilities takes up most of their time, followed
by issuing resolutions for failed patches (19%), testing patches (15%), and
coordinating with other departments (10%). The myriad of challenges that IT and
security teams face when it comes to patching may be why 49% of respondents
believe their company's current patch management protocols fail to effectively
mitigate risk.
Srinivas
Mukkamala, Senior Vice President of Security Products at Ivanti, said: "These
results come at a time when IT and security teams are dealing with the
challenges of the Everywhere Workplace, in which workforces are more
distributed than ever before, and ransomware attacks are intensifying and
impacting economies and governments. Most organizations do not have the
bandwidth or resources to map active threats, such as those tied to ransomware,
with the vulnerabilities they exploit. The good news is that the combination of
risk-based vulnerability prioritization and automated patch intelligence can
bring to light vulnerabilities that are being actively exploited and have ties
to ransomware. With unique patch reliability, IT and security teams can
seamlessly deploy patches, and solve for common challenges that are putting
organizations at risk."
Top
industry leaders, practitioners, and analyst firms recommend a risk-based
approach to identify and prioritize vulnerability weaknesses and then
accelerate remediation. The White House recently released a memo encouraging organizations to use a risk-based
assessment strategy to drive patch management and bolster cybersecurity against
ransomware attacks.
Furthermore,
Gartner listed risk-based vulnerability management as a top
security project that security and risk management professionals should focus on
in 2021 to drive business value and reduce risk.
Click here to read the full report.