It’s well-known that many cyberattacks take advantage of vulnerabilities in software that has not been updated, but in 2021, why are companies often slack in installing patches?

A new report from Ivanti Inc. may provide answers to that question. The company surveyed information technology and security professionals and found that 71% consider patching overly complex, cumbersome and time-consuming.

In the age of COVID-19 and shift to remote work, 57% of respondents said remote work had increased the complexity and scale of patch management. That shift, with employees connecting with various devices to access corporate networks, data and services as they work and collaborate from new and different locations, is said to have made patching harder than ever.

The complicated nature of dealing with a remote workforce is not the only challenge when it comes to patching, with other demands on time also playing a role. Some 62% of respondents said that patching often takes a back seat to their other tasks and 60% said that patching causes workflow disruption to users. In addition, 61% of IT and security professionals said business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down.

As threat actors mature their tactics and weaponize vulnerabilities, especially those with remote code execution, organizations struggle with attack surface risk and ways to accelerate patch and remediation actions. More than half of respondents said that organizing and prioritizing critical vulnerabilities takes up most of their time, followed by issuing resolutions for failed patches (19%), testing patches (15%) and coordinating with other departments (10%). Just under half of respondents said their company’s current patch management protocols fail to mitigate risk effectively.

The report gives a solid example of where an attack could have been mitigated by patching: the WannaCry ransomware attack in 2017. That attack, which encrypted an estimated 200,000 computers in 150 countries, exploited a vulnerability in software where a patch for the vulnerability had existed for several months before the initial attack, yet many organizations failed to implement it.

Two years later in 2019, the same vulnerability used in WannaCry was still being exploited, and Ivanti notes that there was a 53% increase in the number of organizations affected with WannaCry ransomware from January to March this year, nearly four years after the initial attack.

“These results come at a time when IT and security teams are dealing with the challenges of the Everywhere Workplace, in which workforces are more distributed than ever before, and ransomware attacks are intensifying and impacting economies and governments,” Srinivas Mukkamala, senior vice president of security products at Ivanti, said in a statement. “Most organizations do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit.”

Photo: Pxhere