Software vendors are constantly releasing updates to their code designed to plug security holes and ward off attacks. However, unfortunately, many of their customers are failing to take advantage of them which leaves them open to potential attack.
In many cases, the reason for delay comes down to the perceived disruption that updates can cause. Devices usually need to be restarted to allow the code to be installed which results in interrupted workflows and a drop in productivity.
As a result, the deployment of patches that could have prevented a cyberattack is delayed and an organisation then finds itself becoming a victim. This is particularly frustrating as it's a situation that could readily have been avoided.
According to research by security company F-Secure, 61% of existing vulnerabilities in corporate networks actually date back to 2016 or earlier. This is despite the fact that patches have been available for more than five years. In some cases, vulnerabilities that continue to be exploited by cybercriminals are more than a decade old.
The importance of updates
Organisations that have been postponing software updates and are yet to fall victim to an attack might have a false sense of security and believe that patches are not really necessary. However, a high-profile cyberattack that targeted the International Committee of the Red Cross (ICRC) proves this confidence is misplaced.
In the incident, cybercriminals gained access to the ICRC's systems by exploiting a known, but unpatched, critical vulnerability in a single sign-on tool developed by Zoho, a company that makes web-based solutions for business management. During the attack, data relating to more than 515,000 'highly vulnerable' individuals was compromised.
According to IBM's X-Force Threat Intelligence Index 2022, more than a third (34%) of reported cyberattacks during 2021 were due exploited vulnerabilities being exploited. This represented a 33% increase on the previous year.
These numbers clearly demonstrate the size of the attack vector created by avoiding software patches and updates. The report also highlights the increase in the number of vulnerabilities, which reached a new record high of 19,649 new cases.
According to WatchGuard's Internet Security Report, which analyses the latest malware and attacks targeting organisations around the world, the volume of network attacks reached a four-year high in 2021 with some 5.7 million network exploits in the fourth quarter alone. This shows the problem is continuing to intensify.
Taking a defensive stance
Clearly, an effective way to reduce the likelihood of falling victim to an attack is to ensure all patches and updates are installed as soon as they are released by software vendors. To achieve this, there are four key steps that organisations can take:
1. Automate processes: Always enable automatic software updates whenever possible. Doing this will ensure that new updates and patches are installed as rapidly as possible.
2. Avoid outdated applications: Organisations should avoid using end-of-life and unsupported software as these applications will no longer be receiving updates from the vendor.
3. Go to the source: It's important to visit software vendor sites directly to source updates rather than clicking on advertisements or email links that could result in the installation of malicious code.
4. Use a secure network: Software updates should not be undertaken when a device is connected to an untrustworthy network, such as a public Wi-Fi service.
A critical issue
The timely installation of software patches and updates is a critical part of ensuring the robustness of an organisation's IT security. In addition to the steps above, it is also important to recognise that organisations have a duty to monitor and mitigate known vulnerabilities that are continually being exploited by cybercriminals.
This is because it is not just the organisation itself that could fall victim to an attack. Once they have gained access to a target IT infrastructure, cybercriminals can also cause disruption and loss to customers, business partners and other third parties.
Being aware of new patches as they become available and installing them in a timely manner is a critical part of any effective security strategy.