Contents:
Every month, the US government’s National Institute of Standards and Technology publishes a list of newly-discovered IT vulnerabilities. In September 2023 alone, they reported 2,825 known vulnerabilities with software.
To fix each of these problems, software publishers must create patches and deliver them to their customers to install. But given the sheer number of vulnerabilities being discovered all the time, many companies find themselves overwhelmed.
And that can lead to ‘patching paralysis’, where they struggle to keep up to date with software fixes and upgrades.
Patching paralysis poses a serious threat to businesses. As the UK government’s National Cyber Security Centre points out:
Patching remains the single most important thing you can do to secure your technology.
The National Cyber Security Center (NCSC)
Failing to apply patches to your software gives cybercriminals a backdoor into your systems. So, why does patching paralysis happen – and what can be done about it?
What is Patching Paralysis?
Patching paralysis is when organizations fail to adequately implement software upgrades because they are overwhelmed by the sheer number (and ever-changing nature) of patches they need to install.
Despite patching being a ‘basic’ security process, it is no simple task. There are many variables that slow IT teams down when it comes to patching, and this can leave them feeling ‘paralyzed’.
How Much of a Problem Is Patching Paralysis?
Patching paralysis is extremely common. Indeed, research suggests it’s the norm at most organizations.
Data published by Statista for 2022 show that, on average, companies take between 180 and 290 days to patch cyber vulnerabilities.
So, is it really such an issue? In short, yes.
The obvious reason is that patching prevents security breaches.
According to a 2019 survey by the Ponemon Institute, a whopping 60% of organizations whose systems were breached would have been protected if they’d applied a patch that was already available.
This is a sobering thought for any IT professional.
One of the dilemmas that all software publishers face when they release patches is that they are telling the world – hackers included – that there’s a vulnerability in their products.
An article in IBM’s Security Intelligence blog reports that cyber criminals act fast after learning about these vulnerabilities – typically launching their first attacks within 15 days.
So if patching paralysis means firms take weeks – or even months – to install patches, they leave themselves open to attack.
Why Does Patching Paralysis Happen?
The underlying causes of patching paralysis are complex and vary from one organization to the next. That said, the following factors often contribute to the issue.
Organizations Use Large Numbers of Applications and Devices
Most businesses today are using dozens – and sometimes hundreds – of apps, widgets and other pieces of software.
According to a Forrester study for AirTable (an app-building platform) the average large organization today is running 367 apps and systems.
Many of these pieces of software will have rolling patches and upgrades – often on a monthly basis. Although some pieces of software can be automatically patched by the publisher over the internet, many still require someone to manually install them.
Patching Takes Time
If installing patches on company systems was simply a case of downloading the patch and clicking ‘run’, then patching would be relatively easy. Unfortunately, patching is usually a time-consuming process.
According to one study by Edgescan, a penetration testing company, it takes the average organization 60 days to go through the process of installing a patch.
One of the main reasons that patching takes so long is that organizations will have modified the software. This means that installing a patch without first seeing how it might interact with your modifications could ‘break’ your environment.
Companies therefore need to spend time testing the patch in a ‘sandbox’ before running it system-wide.
Installing patches usually requires an organization’s devices to be rebooted. This means patching disrupts the business’s work. As a result, many companies opt to schedule patches over weekends or at night-time when fewer staff need access to their technology. Again, this slows the process down.
Another reason patching takes time is that IT teams often need approvals to install patches. Particularly at larger organizations, several senior people may need to give sign-off, and that causes delays too.
A Lack of Resources Contributes to Patching Paralysis
In a study by research organization the Ponemon Institute, almost 80% of businesses said they simply don’t have enough resources to keep up with the volume of patches they’re required to install.
Patching requires IT staff to test each update, sanitize them, then install them across systems, and check for any problems.
And while patching is skilled work, it’s also repetitive, manual and thankless labor which often requires staff to work nights or weekends. It’s not always easy to get employees to agree to install major upgrades at short notice.
The nature of the resource problem varies by company size.
At small firms, there may only be one or two tech staff who are overwhelmed by all the patches they must install.
At larger companies, there are dozens of apps to upgrade every week, communication problems, and approvals to deal with.
Continually Changing Schedules
Perhaps one of the biggest contributors to patching paralysis is the fact that the order of upgrades is continually changing. Most organizations have a schedule for rolling patches out.
However, if a high-risk vulnerability is discovered in a key operating system, then this patch must be pushed to the top of the IT team’s to-do list. That disrupts other upgrades, and causes general disruption in the patching schedule.
The Prioritization Problem
Patches are often categorized as low, medium or high risk.
A high risk patch could be a serious vulnerability in an operating system like Windows 10, while a ‘low risk’ patch might be a configuration problem with a project management app that’s only used by a handful of employees.
The problem, however, is that all vulnerabilities could potentially become targets for cybercriminals.
Just because one piece of software is categorized as ‘low risk’, that doesn’t mean cyber criminals couldn’t use its known vulnerabilities as an entry point to your environment.
Weighing up which patches to focus on – and how much time to dedicate to each – can cause headaches and indecision.
Other Causes of Patching Paralysis
There are plenty of other reasons that organizations fail to patch their software fast enough. Common challenges include:
- Silos within IT departments mean information about patches or who’s installing them is not shared – leading to misunderstandings.
- A lack of awareness about all endpoints (particularly where ‘bring your own device’ policies are permitted) and ‘shadow IT’.
- Ineffective processes for tracking patch releases by publishers.
- Reliance on legacy software that no longer receives updates from the publishers.
- Certain systems and devices (such as medical equipment) cannot be patched for other reasons.
Related read: What is Patch Management?
Signs of Patching Paralysis at an Organization
So, how can you tell if your organization is affected by patching paralysis? Here are some of the telltale signs that we see again and again:
Patches Take Months to Install
Easily the clearest sign of patching paralysis is that it takes an organization an inordinate amount of time to install updates. In an ideal world, patches would be installed the day they’re released – or within a couple of weeks at most.
Responsibility for Patching Is Unclear
Is there a single, named person who is directly responsible for staying on top of all patches at your organization? It is surprisingly common for companies to lack a single point of contact for patch management.
This is particularly the case in organizations that use a mix of on-premises and cloud software – different people often configure different systems. And that can sometimes mean patches fall through the cracks.
Lack of Communication and Awareness
A similar issue is that many organizations are unaware of what is being patched and by whom. This is especially the case when different parts of the IT department work in silos, so are not sure who is responsible for patching what.
Conflicts With the Wider Business
Very often, IT teams are prevented from patching because the rest of the organization is resistant to updates and cannot tolerate downtime. The IT team must wait for opportune moments when other employees are away (weekends, holidays, nights) before they can install major upgrades.
No Clear Process for Prioritizing Patches
As noted above, prioritizing which patches need to be installed and in what order is difficult. But it’s made even harder when IT teams don’t have a consistent patch management policy to decide which patches need to be rolled out and in what order.
- What counts as a ‘high risk’ patch for your organization?
- Which software is so vital to your business that new patches must be installed instantly?
- What sorts of upgrades can be delayed while more urgent work is carried out – and why?
Modernize Patch Management With Heimdal®
Countless organizations around the world suffer from patching paralysis – leaving themselves exposed to avoidable risk. And this is why we built our Patch & Asset Management solution.
The technology gives IT teams a centralized console with complete visibility of their entire software inventory.
Every app your organization uses is displayed in the dashboard. We then alert you the moment any new vulnerabilities are discovered and patches released.
Your IT teams can then install those fixes right from the dashboard. And, thanks to Heimdal’s automation features, you can test, sanitize and deploy patches onto your systems, without hours of tedious manual work.
Learn more about our automated patch management solutions and overcome patching paralysis once and for all.
Heimdal® Patch & Asset Management
- Create policies that meet your exact needs;
- Full compliance and CVE/CVSS audit trail;
- Gain extensive vulnerability intelligence;
- And much more than we can fit in here...
Key takeaways:
- Patching paralysis is very common;
- It is caused by the sheer number of updates required across multiple systems;
- Organizations struggle to prioritize and deploy patches in a timely manner;
- Learn about better methods for keeping software up to date;