For anyone in IT (and even home computer users), Microsoft’s monthly “Patch Tuesday” is an important part of their cyber hygiene routine. This month’s update proved to be a particularly critical one.
Early in January, the National Security Agency (NSA) alerted Microsoft to a major flaw in Windows 10 that could let hackers pose as legitimate software companies, service providers, websites, or others. "It's the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment," Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission, told CNN.
Fortunately, Microsoft acted quickly and issued a critical update — CVE-2020-0601 — on January 14.
Despite this quick action, businesses and government have a habit of missing, ignoring, or delaying important patches and updates. They do so at their peril. In 2019, the majority of cybersecurity breaches were a result of unapplied patches. However, the reasons for this oversight are complicated and often unintentional.
Patch management — IT’s nightmare
Getting a handle on patch management is an unending challenge for IT and security teams. Last year, 12,174 common vulnerabilities and exposures (CVEs) were reported — making patching an almost impossible task for any organization. In fact, it takes the average organization 38 days to patch a vulnerability. Even then, 25% of software vulnerabilities remain unpatched for more than a year.
One of the biggest obstacles to frequent patching is that security teams struggle to identify everything that needs to be fixed. Understaffed and struggling with alert fatigue, it can be hard to identify the systems that are yet to be updated, prioritize remediation, and apply patches quickly.
To add to their workload, IT and cybersecurity teams must also make certain that the appropriate security policies are in place to ensure that users regularly update their PCs and devices, and don’t delay the inevitable “Windows Update.”
Risk also extends beyond the four walls of the business. Third- and fourth-party cyber risk is a big threat to businesses — 59% of breaches have their origins in vulnerable and unpatched third-party systems. The trouble is that vendor risk assessment questionnaires only offer a point-in-time view into the security posture, including unpatched software of suppliers, partners, and sub-contractors — leaving IT in the dark.
Windows 7 — a new risk
While Microsoft focuses on closing gaps in its Windows 10 OS, Windows 7 users walked into a new cybersecurity land mine on January 14, 2020. Microsoft ended support for the nine-year-old OS and will no longer issue security patches or updates.
This is particularly problematic, since almost 70% of organizations are still using Windows 7 in some capacity, leaving them susceptible to a security issue, attack, or breach — unless they purchase extended support from Microsoft or upgrade to Windows 10.
Fixing the patch management challenge
Maintaining a frequent patching cadence is critical to mitigating cyber risk, but it doesn’t have to be a nightmare.
With the Bitsight Security Ratings platform, your organization can shine a spotlight on vulnerable, unpatched systems and out-of-date operating systems — both internally and across nth parties (partners, vendors, customers, etc.). Using these insights, IT teams can prioritize which patches are most critical and take steps to measurably reduce risk.
Plus, security ratings make it easier to share actionable security information with other business functions. With this information in hand, teams can collaborate with each other on pressing security issues to help reduce risk across your business ecosystem.
Furthermore, because patching cadence is indicative of the likelihood of a breach, it has stepped into the spotlight as something the Board and C-suite is interested in. With security ratings, this conversation becomes much easier because information about vulnerabilities is provided in a straightforward and non-technical way that is easy for everyone to understand.
Security ratings can also be shared outside the organization. This allows third parties to identify and rectify issues and blind spots in their systems and software — continuously and in real-time, without waiting on lengthy audits or assessments.
Time is of the essence
As the recent Windows 10 critical update shows, organizations must do everything they can to stay on top of their patching cadence and that of their vendors.
But there’s no need for organizations to be paralyzed by the sheer volume of ongoing patches. Learn more about how Bitsight can help.