Modernizing patch management in an evolving IT security landscape

Today’s IT security landscape is more complex than ever before, and will only continue to evolve. The rapid adoption of new technologies, the shift to hybrid work environments, and the proliferation of third-party applications have introduced new risks and expanded attack surfaces for organizations worldwide.

The increased use of these third-party applications, particularly on dispersed endpoints (i.e. laptops), can expose an organization to significant vulnerabilities. For example, dispersed endpoints leave a risk of a bad actor acquiring access to a network through an unpatched security gap in the application.

Neglecting to patch third party applications and loose endpoints often has both financial and operational costs for organizations across multiple industries. According to a report from IBM, breaches can cost about an average cost of $4.90 million, resulting from attack vectors including cloud misconfiguration, unpatched vulnerabilities — including those already known to the organization — phishing attacks, and other tactics that are seen in businesses’ day-to-day operations.

Not only are data breaches costly, but they can be time-consuming, requiring multiple teams and working hours to address the risk effectively. Case in point, the Ponemon Institute reports that 88% of companies surveyed say they must coordinate across multiple teams to patch vulnerabilities, adding an average of 12 days to the process. This delay in patching impairs an organization’s overall security posture, leaving devices, applications, and software vulnerable to bad actors.

This makes robust patch management more critical than ever. 

The necessity of effective third-party patch management 

Despite the financial and operational threats that successful cyberattacks can lead to, unpatched vulnerabilities can be found in a wide range of devices, endpoints and applications. For example, according to the Ponemon Institute, 60% of respondents cited an unpatched vulnerability as a source of data leakage.

The reliance on firewalls alone is no longer sufficient, and the number of software and applications needed to keep business operations going creates more updates and patches. In a hybrid and multi-cloud environment, a single unpatched endpoint can compromise an entire network. 

This further highlights that organizations can no longer rely solely on traditional network security measures. The reality is that as the number of devices and cloud-based applications in an organization increases, the attack surface increases and therefore the risk of a breach becomes higher. Thus, third-party patch management becomes essential to maintain the integrity of an organization’s operating systems.

Biggest mistakes in patch management

Organizations often make two common mistakes in patch management, which can have serious implications for their overall security posture. Understanding and addressing these pitfalls is crucial for maintaining a robust and secure IT environment.

The first is running software that has reached its end of life or end of support. Some IT teams may consider it safe to simply continue running the software past the end of support; however, it’s one of those small mistakes that can lead to costly consequences. Proactive IT departments will insist on replacing such software with an alternative that addresses the same need but is also being actively maintained and supported. By keeping track of the applications that an organization uses, security teams will have the insight to know when support for that application’s software has ended and how to pivot so that their organization can continue operating efficiently.

The second mistake organizations make is ignoring the communication component of third-party patch management. Just as patch management depends on systems communicating with one another, it also depends on people communicating with one another.

Establishing a work culture where scheduled patching can take place — with some room for exceptions — is crucial. It’s necessary for department heads to follow the guidance of IT and security teams, invite collaboration across departments, and agree to the organization’s policies, for patch management to not only be successful but effective.

How to effectively patch loose endpoints and third party applications

To address current and emerging security threats, organizations need to consider patch management as a core component of their IT strategy. Key steps include:

  1. Conducting an inventory of devices and application landscape: Start by gaining a clear understanding of the types of devices, applications and software within the environment. Security begins with knowing the potential risks and entry points for hackers seeking to exploit an unpatched vulnerability within an operating system.
  2. Identifying a baseline secure state: With the diversity of technology used in businesses, it’s integral for teams to unify patch levels across all devices and consolidate end-user computing groups. In short, establishing a standard security state of their organization.
  3. Developing an patch management security roadmap and strategy: After assessing the potential vulnerabilities within a system, create a roadmap for a patch management process that meets the organization’s unique needs. Part of developing this roadmap should include understanding who is owning each business process so that everyone is involved in actionable steps to take.
  4. Consistently checking the patch catalog and automating patch management: Given the heightened frequency of end-of-life in software and escalations of cybercrime, organizations that fall behind in patching will find their security posture lacking. Organizations should consider investing in solutions that help automate this patching process, both to stay up-to-date and reduce the workload of IT teams.

Ultimately, all of these important steps require organizations to ensure that their patching process matches their business needs, rather than the other way around. This starts with empowering key decision-makers to have a buy-in on the process and incorporating these needs into the budget.

With the diversity of endpoints and applications, and the increasing adoption of hybrid and multi-cloud environments, organizations need a holistic, adaptable approach to navigate the expanded attack surface. This comes in the forms of constant and automated patch management to ensure that IT teams have a leg up on any potential vulnerabilities, reduce team burnout, and that the organization is not compromised due to a third party.