Why Businesses Suck at Patch Management

With the revelation that 81% of organizations fail to properly address cloud vulnerabilities, it’s clear that proper patch management of critical business systems continues to be an afterthought for cloud-forward companies. Why is that?

Faced with massive, game-changing cyber attacks and the media buzz surrounding them, how can anyone downplay the importance of not only heightened protection but doing what many consider the bare minimum for IT security – patching business-critical systems?

Is it a business-centric move, a misunderstanding of cloud-based threats or just apathy toward patch management in general?

The Reasons Why Companies Fail at Patching

  1. Too Often Business Needs Outweigh Security Needs
    While most business leaders recognize the need for security patches on an intellectual level, sometimes in the day-to-day chaos business can rank higher on the list of priorities. Also, installing patches is a time-consuming process that can disrupt development and business processes.This is further complicated as organizations struggle to even properly staff their security departments. Because of this, it can be tempting to delay or outright avoid patching critical systems.Of course, all of this is assuming these systems are even patchable in the first place. For practicality and cost reasons, businesses don’t always keep pace with technological advancements. If left unchecked, this technology gap can become a chasm, leaving a business with outdated, unsupported software and technology rife with vulnerabilities that may never be addressed.It’s an all too familiar situation and one that threat actors, through tools such as EternalBlue (most notably leveraged by WannaCry and Petya), are keen to exploit.
  2. There’s a Cloud Security Knowledge Gap
    Many organizations simply don’t have a comprehensive understanding of cloud security. Much of that deficiency is driven by a lack of security talent. In one 2016 survey, 32% of organizations said that inadequate security resource and expertise were their top cloud challenges. And, those looking to compensate for this deficiency, likely face an uphill battle finding qualified, trained security experts due to the well-documented cyber security talent gap. These deficiencies can leave cloud-focused organizations in a state of “not knowing what they don’t know” – all to the benefit of threat actors.
  3. Apathy for Cloud Security
    It can be tempting to believe that a major data breach won’t really happen to you…and anyway if it does you can just pay for it later. Some organizations believe, quite mistakenly, that paying the penalties of a breach is cheaper than investing in cyber security upfront. It’s not dissimilar from the risk vs. reward mentality you may experiencing when evaluating your need for insurance (although, it should be noted that cyber security and cyber insurance are not the same). “Do I accept the risks for short-term savings, or invest in long-term stability?” The answer to this quandary depends on many factors, most notably your appetite risk and tolerance for potential consequences – which can be quite substantial in the event of a breach.Even then, the costs associated with a breach should make the prospect of sidelining security a non-starter. A 2017 Ponemon study estimated the average cost of a data breach at $3.62 million – a figure that doesn’t fully capture potential costs associated with reputation and operational fallout resulting from a breach. As we’ve covered in length, security matters for every organization in the cloud. Not properly securing business systems can’t be an option, especially when your customers trust you with their data. It’s a level of corporate responsibility that can’t be neglected.

Patch Management: The Key to Security in the Cloud

Despite these seemingly legitimate reasons for not optimizing cloud security, its necessity is undisputed. And it all starts with patch management.

And, the good news is that patch management doesn’t have to be a time-consuming thorn in your side. By working with a trusted cloud security provider, your systems can stay patched without you having to think about it. You don’t have to be hapless when it comes to cloud security – or make excuses for avoiding it.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals