Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.
Software vendors are constantly publishing new patches to fix problems in software that they have sold. It's then up to the users of the software to apply the patches -- or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place.
But the sheer volume of patches, with many vendors publishing new fixes on a monthly basis, and the need to test those patches to ensure that they don't cause other unexpected problems, means that there's often a delay in getting systems secured. That leaves a gap that hackers can exploit.
One in three IT professionals (34%) in Europe admitted that their organisation had been breached as a result of an unpatched vulnerability (higher than the average of 27%) according to a survey by security company Tripwire.
Finding the stuff that needs patching can be a challenge: 59% of respondents said they can detect new hardware and software on their network within hours, but it's a difficult manual effort for many, with 35% saying less than half of their assets are discovered automatically.
Just under half of companies said they aimed to deploy a security patch within a week, while over 90% of companies said that they would generally fix a flaw within a month. But nearly half of companies said they had to deal with less than 10 vulnerabilities a month; another 29% said they had 10-50 patches to apply every month. Four out of five companies said they had stopped using a product because of a vulnerability disclosure.
The 2017 WannaCry ransomware attack was probably the clearest example of what can go wrong when patches aren't applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organisations -- notably, parts of the UK's National Health Service -- had failed to use it.