A study by security firm Bromium reports that, on average, organisations have to issue an emergency patch five times a month, with each patch taking 13 hours.
The research also said: “53% of businesses have had to pay overtime, or bring in a third party issues response team, to issue patches or fire-fight a security issue in the past year”. This reportedly costs businesses an average of $19,908 per patch (about £15,630).
Bromium says that organisations’ problems with crisis patching are compounded by the fact that many computers still run on legacy systems. Windows 7 is the most widely used legacy system, still running on nearly half of all desktops, and it was unpatched versions of this operating system that caused WannaCry to spread so rapidly.
Simon Crosby, Bromium’s CTO and co-founder, said:
We can see with the recent WannaCry outbreak – where an emergency patch was issued to stop the spread of the worm – that enterprises are still having to paper over the cracks in order to secure their systems.
The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences. WannaCry certainly isn’t an isolated case and as ransomware and polymorphic malware become increasingly sophisticated and difficult to defend against, we are going to see many more emergency patches become a crisis – although, sadly, they will often be too late.
There are many reasons why people don’t upgrade to the latest operating system. The financial cost of upgrading is a large factor, as was the case with the NHS. Despite the government receiving many warnings about the dangers of legacy systems, last year it cut the NHS repairs fund by £1.1 billion.
Bromium reports that organisations may also fail to upgrade their systems due to it being “complex, disruptive and in some instances, unachievable, due to application dependencies”.
Test the security of your systems
If you’re concerned about the security of your systems, you should conduct regular penetration tests. Testing is an essential component of any cyber security strategy, and it can help you more intelligently prioritise remediation, apply necessary security patches and allocate security resources more effectively to ensure they’re available when and where they’re needed most.