The Critical Role of Patch Management in the Fight against Ransomware

Ransomware attacks exploiting vulnerabilities in businesses’ networks are on the rise, as cybercriminals recognize that delayed patching and subpar patch management are widespread among organizations and present the perfect opportunity for quick financial gain. A new report from Osterman Research reveals that security professionals acknowledge that rapidly patching vulnerabilities on their networks is key to preventing ransomware attacks, yet fewer than half of survey respondents said that they rapidly patch their systems and applications.

Delayed patching carries a hefty price for businesses, as Ponemon Institute reports that four out of 10 data breach occur because a patch was available but not applied. The article will examine why vulnerabilities frequently remain unpatched, the price of delayed patching and how organizations can improve patch management to protect against ransomware and other dangerous, costly threats.

Why Do Vulnerabilities Often Remain Unpatched?

Most organizations lack the necessary technology and staff to keep up with the latest patches from IT platforms and vendors. The Ponemon institute says that even when the resources are available, “timely patching is difficult to achieve.” Moreover, a survey conducted by Cisco found that few tasks in security are more tedious than vulnerability management and deemed patching one of the least well-implemented practices in the field. Some reasons for this include:

  • Time spent remediating false positives.
  • No tolerance for the downtime required for patching.
  • No common view of applications and assets across security and IT teams.
  • Manual processes allow problems to slip through the cracks.
  • Lack of coordination between the security and IT teams.
  • Inability to hold departments accountable.
  • Fear of unintended impacts from updates on systems and applications.
  • Doubt among smaller companies that attackers would target them.
  • Old, unsupported software and systems for which patches are no longer released.

The Hefty Price of Delayed Patching

The 2021 Microsoft Vulnerabilities Report estimated that of the continuous flow of vulnerabilities that allow threat actors to attack companies with ransomware, 1,268 of them were patched in 2020, up 48% from 2019. Even though Microsoft is the most used platform of enterprise productivity, it is only one, and leaving vulnerabilities unpatched can have costly consequences.

Also in the Microsoft Vulnerabilities Report was a reference to the WannaCry ransomware attack in 2017. The released patches to close the exploit, many companies had not applied it and were responsible for the attack spreading.

The longer a vulnerability is left unpatched, the more the risks and consequences of ransomware increase such as:

  • Initial infection and compromise.
  • Lateral movement and persistence.
  • Operational disruption.
  • Financial compromise.
  • Cessation of business operations.

Another risk that can be a result of delayed patching is lack of coverage from cyber insurance as well as compliance issues. Some insurance providers may not cover the cost of a data breach if the company is behind on patches. Other times, a company that failed to update software can be subject to fines if personal information is exposed after a data breach.

Improving Patch Management

According to Ponemon, manual processes will delay patching by requiring employees to assign and push through each step. Approximately one-third of organizations’ cybersecurity capabilities have remained the same for the past three years, while cybercriminals have continued to evolve and accelerate their attacks. The good news is that automation is becoming more widely available through patch and vulnerability management tools.

These tools will prioritize vulnerabilities as well as assign tasks automatically. Vulnerability management tools that are more sophisticated are capable of consulting threat feeds and conducting frequent scans on systems, applications, and networks. An advisory from CISA recommended companies “consider using a centralized patch management system.” Additionally, some companies should outsource some or all of these needs to a service provider. As budgets increase for counteracting ransomware, experts recommend dedicating a portion of these funds to elevating rapid patching capabilities.

From 2020 to 2021, there was an increased security budget of 20% per employee for organizations with less than 1,000 employees, and 30% for ones with over 1,000. This translates to roughly $400 and $275 respectively. 

Prioritize Patching by Risk, Not by Scoring

Organizations should prioritize patching not by scoring, but by risk. For example, if the risk is a ransomware attack, then that would be a high-priority patch.

Organizations should implement vulnerability management tools and prioritize patching not by scoring, but by risk. For example, if the risk is a ransomware attack, then that would be a high-priority patch.

The Bottom Line

Patching is a fundamental part of maintaining good cybersecurity hygiene, yet is also an area where companies often fall short. New research highlights the importance of patching and patch management as part of a defense-in-depth approach to battling the growing threat that ransomware poses to all businesses.

Must Read Blog Posts

Latest Blog Articles