Patches are important, but often-ignored security tools for businesses

Photo courtesy DepositPhotos

Carl Mazzanti

This year is turning out to be a bonanza for hackers. Recent Cyber Security incidents include an attack against Sysco – one of the world’s largest food distributors – that occurred in January but was not discovered until March — exposing Social Security numbers belonging to more than 125,000 people, according to a filing by Sysco’s outside counsel.

The breach is reportedly being investigated, but some Cyber Security professionals cannot help but think back to 2017 when the WannaCry ransomware “crypto worm” penetrated more than 200,000 computers running Windows across 150 countries in a matter of hours. Upon infecting a device, WannaCry encrypted data and demanded ransom payments believed to total billions of dollars. The damage was bad enough, but for some observers, an equally frustrating fact was that, months before the attack, Microsoft had identified the vulnerability and issued a downloadable patch, or update, which addressed the security vulnerability.

So, why did so many devices get infected? Many Windows users had not bothered to download and install the updates. Not much has changed since then, with one international survey indicating that only 36% of users ‘always’ install the latest patches or software updates.

Software or operating system vendors issue patches to fix performance bugs, or to provide enhanced security features. Typically, there is no additional charge for a patch, and the installation and updates generally do not interfere with ongoing operations. But as the WannaCry and other attacks dramatically demonstrate, businesses and individuals that do not keep up with their patches are putting their operations at risk.

Why do they avoid this simple security step? Some excuses we have heard include: “We forgot,” “We did not know about the update,” or “We were short-staffed and put it off” — all of which do little to help when systems are compromised. There really is no excuse for missing out on patch updates, especially since many outsourced IT support providers offer packages that can automate the process of hunting for updates and installing them. Besides bolstering a system’s security, this may be more cost-effective than paying staff to spend time locating and installing patches.

These kinds of automated agents can do more than hunt for and install updates — they can also monitor for compliance, tackle issues, and alert IT support providers about any problems so they can quickly be addressed. Integrated patch solutions typically include audit tools that create a list of all the software residing on a system, a regression tool that checks for patches, another tool that downloads and installs them, and one that monitors for compliance — because even if a user downloads a patch, a sophisticated attacker may be able to disable it without any obvious warning sign.

But many businesses do not think about these kinds of Cyber Security managed services solutions because they are not considered “sexy.” Setting up a basic security protocol is not exciting enough to warrant a lot of attention, at least until something goes wrong. At that point, after the damage is done, the issue will get a lot of attention. Of course, businesses that stay on top of their patches — either manually or with an automated tool — can usually avoid a lot of grief, wasted time and money, and damage to their reputation.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, N.J., providing IT consulting services for businesses ranging from home offices to multinational corporations.

"