‘“Patch Tuesday” is an established concept. You can set your clock every month as Microsoft updates its software at that time. From end users to IT professionals: everyone is familiar with the phenomenon. So you expect IT and security teams to be ready to deploy any patches immediately to address potential security vulnerabilities. Unfortunately, they don’t. And that’s a problem.

If an alarm light flashes in your car, the driver rushes to the workshop to have the problem fixed. However, with cars it can usually take several weeks before a problem actually occurs. On the other hand, when our software’s proverbial alarm lights start blinking, we can easily hit the snooze button. With the idea: We’ll tackle that later.

Unfortunately, in the digital age, the rapid development of technology is matched by the speed at which cyber threats evolve. A recent study uncovered a disturbing trend: significant delays in fixing critical software vulnerabilities. This poses a significant cybersecurity risk. Why are organizations patching so slowly? What risks are associated with it? And what are the solutions?

Why are we waiting to patch?

Back to Patch Tuesday. Despite the predictability of these updates, 28% of IT professionals admit that it takes at least three weeks to patch critical vulnerabilities, while another 20% take a month.

28% of IT professionals admit it takes them at least three weeks to patch critical vulnerabilities.

Wytze Rijkmans, regional vice president, Tanium

However, there have been more than enough zero-day threats recently. Do the terms MOVEit, Curl and Apache Superset mean anything to you? These vulnerabilities have given many IT and security teams sleepless nights over the past year. About 100 new zero-day issues emerge every year. This may not sound like much, but they cause disproportionate damage. And all because we prefer to wait before implementing patches.

Several factors contribute to slow patch speed. First, there is the challenge of visibility, both into the assets within a network and the components within the software where vulnerabilities exist. It’s a well-known fact that many IT departments don’t even know what endpoints exist on their network. Nor do they know which apps the end users have installed and where the components of this software come from. After all, not every company already uses a “Software Bill of Materials” (SBOM), which clearly shows which components are included in the software. For example, the far-reaching impact of the zero-day vulnerability in Apache Log4j highlighted how difficult it is for security teams to quickly identify affected components. Recent research shows that 38% of apps using Log4j are still using insecure versions.

What also contributes to the lack of visibility: Sometimes there are hidden vulnerabilities in shadow IT applications that escape IT’s visibility.

Additionally, business continuity concerns play an important role. If we don’t see any problems, we’d rather not make any changes to the software. Patching may require interruptions, downtime, or restarts. And end users usually don’t like this and insist on waiting to implement the patches. In addition, it can also happen that a vulnerability is known, but it takes a long time for the software provider to propose a solution.

Slow patching can also be tempting. Some IT and security professionals justify slow patching by pointing out that immediate intervention could cause more damage, such as system instability or unknown vulnerabilities. After all, every software is just a part of a larger whole. An adjustment in one part of the chain can cause disruption later. This dilemma highlights the conflict between the urgency of an upgrade and the need to maintain system stability.

Security by design

A commonly proposed solution to overcome patch procrastination is to adopt a security-by-design approach. This method focuses on eliminating vulnerabilities through continuous testing and building in authentication protections early in the development phase. Such an approach is in line with recommendations from cybersecurity authorities. They advocate protocols that bridge the gap between the release of patches and their application.

Resolving patches in a corporate environment begins with establishing clear policies and procedures. This structured approach ensures that patching activities are aligned with business expectations and can be carried out efficiently, ideally outside of office hours to minimize downtime. Automation and AI are proving to be valuable tools in this context, enabling faster response to updates and improving compliance with security standards. To address this need, Tanium announced Autonomous Endpoint Management last fall, which fully leverages artificial intelligence to automate management tasks.

Tools and culture are equally important

Choosing the right patch management tools is crucial. However, companies should be wary of tool proliferation, as proliferation actually complicates the patching process. When different tools work separately, different departments within IT each work with a limited view, while a holistic approach is required, for example with converged endpoint management. An effective strategy is to evaluate existing tools, identify gaps and redundancies, and optimize the tools’ capabilities to reduce the amount of manual tasks through automation.

Additionally, it is important to foster a culture that prioritizes timely patching and vulnerability management. Developing a comprehensive vulnerability management program and increasing user security awareness can significantly improve an organization’s resilience to cyber threats. These measures, along with optimized policies and procedures, can enable IT and security teams to more effectively address patching challenges.

Cybersecurity is full of challenges. Slow patching is a very important problem. For any business looking to protect its digital assets, it is critical to understand the reasons behind this trend, the risks involved, and the strategies to mitigate these risks. By taking a holistic approach that includes technology solutions, policy decisions and cultural shifts, organizations can improve their cybersecurity posture and better respond to the ever-changing threat landscape.

This is a post from Wytze Rijkmans, Regional Vice President of Tanium. Further information about the company’s services can be found here.