Why Software Patches Don’t Fix Everything

uncaptioned

Security breaches remain a top concern for businesses today. Data breaches and cyberattacks affected 765 million people in April, May and June of 2018 alone, with tens of millions of dollars lost, according to global digital security firm Positive Technologies.

While companies should be alarmed, are they doing everything they can to prevent the breaches? It turns out they aren’t.

Perhaps there are so many breaches that brands turn a deaf ear to the warnings to protect themselves. The cybersecurity industry calls it “breach fatigue.” Companies can become overwhelmed and indifferent when they hear about breach after breach, as if there’s nothing they can do to avoid being the next one to suffer a loss.   

Software patching can provide a fix.

Software patching can be a simple way to protect a business against a breach. A majority of breaches happen because a laptop hasn’t been patched. The patches for known vulnerabilities are publicly available but, many times, they’re not used.

When hackers got into Equifax’s systems causing the now infamous breach of 2017, a patch for the vulnerability had been available for months. The WannaCry virus, a global ransomware attack, is another example. Users could have avoided it simply by keeping their software updated.

Before we blame the average user, though, one study found that even security pros don’t always update. Just 64% of security experts say they update their software automatically (39%) or as soon as they’re notified that a new version is available (25%). Further, another study found that, for software developers, it takes between 18 and 24 days to patch 50% of vulnerable hosts once an update is released.

Why don’t software patches always work?

So, if breaches keep happening, businesses are concerned and fixes are available, why do companies resist installing updates? For starters, installing updates interrupts users’ workflow. They can also take a long time. Teams might fear updating programs because executives may become angry if a patch interrupts their workflow.

Installing updates can be frustrating. In research conducted on installing software updates by the University of Edinburgh and Indiana University, half of the respondents noted that they were frustrated when trying to update software, with only 21% saying they had a positive experience.

Additionally, users may fear bringing a service down. If updates cause problems with software someone uses regularly, they’re likely to avoid them. What’s more, some programs, like Java, can impact a host of other applications if patched.

Lastly, regularly scheduled update emails are often ignored. If someone sees an email once a week, for example, they may be more likely to ignore it versus a special email that announces an important update. Companies don’t always do a good job of highlighting a particularly important patch. And it doesn’t help that there are also too many patches. Users can be bombarded with updates, causing them to tune out.

How can companies be convinced to prioritize installing software patches?

While these are all valid concerns, there are a few ways to cut through the fear and reservations in order to address this issue:

• Enable automatic updates. Google Chrome’s web browser installs updates automatically (and without interruption to users). Users don’t even know an update took place. One caveat: If your computer needs to restart for a fix to take effect, automatic updates won’t work. For many Microsoft updates, this is the case.

• Educate users. Education is needed so that users understand the importance of updates and patches. Perhaps companies can offer some type of incentive to get workers to update their software. Or maybe the information could be presented in a more accessible way (via video, for example).

• Look at the consequences. If employees understand the consequences of security breaches, they may be more likely to pay attention to calls to keep programs updated. Each security breach is estimated to cost an enterprise organization about $1.23 million, plus the cost of recovery, which is estimated to be $1.6 million. Not to mention, the damage to a brand’s reputation, which can be priceless.

• Patch the riskiest applications first. A handful of apps are to blame for nearly all the risk — patch those first (not every patch is critical). Prioritize the applications that cause most of the issues. For example, much of the risk can be traced to programs like Java, Adobe Acrobat, Flash and Internet Explorer. Other patches may not be as vital.

• Provide incentives to those who do the patching. Make sure the patch management team understands where most of their time should be spent.

• Choose software and devices that can be easily updated.Buy only products that can be updated without disruptions. Ask about how often patches are issued.

If companies prioritize installing software updates, the number of breaches could be reduced. Changing the mindset is challenging but necessary to protect a company’s data.

[“source=forbes”]