Unpatched Vulnerabilities Hamper IT Security Efforts

Executive leadership teams are overlooking critical gaps in vulnerability management within organizations, despite a series of high-profile breaches, according to an Action1 survey of 804 IT professionals.

The study revealed that, on average, 20% of endpoints remain continuously unpatched due to laptop shutdowns or update errors, and 30% of organizations take more than a month to detect known vulnerabilities.

Mike Walters, vice president of vulnerability and threat research and co-founder of Action1, said there are several reasons why one-fifth of endpoints may remain unpatched.

“One reason is the lack of effective tools and processes for vulnerability remediation that meet the needs of the organization and its users, especially in today’s complex IT environments,” he said.

A contributing factor is the shift to remote work: As many laptops are now remote, VPN-based technologies may not be stable.

“Even if an organization has a patching tool, it may not work properly for those who have switched to remote work,” Walters noted.

In fact, the survey revealed that in 75% of cases, user laptops are turned off when they are scheduled for a patch, resulting in patching failures.

Just 36% of organizations reported using a patch management tool, despite most organizations (62%) reporting the use of an endpoint protection system (EPS) for vulnerability management.

Executive Education

“IT security leaders need to explain why it’s essential to be proactive in your cybersecurity strategy and how the consequences of an attack are much worse than just slowing down the growth,” Walters explained.

He said he believes IT security leaders need to provide more risk education to the rest of the executive team.

“It’s all about aligning the goals and creating a common understanding of the risks organizations face,” he added.

Mike Parkin, senior technical engineer with Vulcan Cyber, explained there are probably as many reasons why companies struggle with vulnerability management as there are companies.

“However, it often comes down to budget, with the bottom line being more important than overall security,” he says. “After all, it’s hard to quantify the impact of an attack that was prevented.”

He added that, in a lot of organizations, there are silos that compartmentalize IT, security and other business groups, which can make it hard to get the right data to the right people.

“There can also be something of a ‘language barrier’ as detailed cybersecurity risk discussions can be very technical, and it’s not always easy to explain the relative severity of a situation across to upper management,” Parkin noted.

He said there are always new vulnerabilities being announced, and vulnerability scanners are always reporting new and interesting flaws in the environment.

“It can be difficult to prioritize which ones are the most important in the environment, which means that sometimes the SecOps team is simply overwhelmed,” he explained. “There’s also the element of ‘out of sight, out of mind’ and the fact that if a vulnerability is missed, there’s no process in place to go back and review to make sure everything is up-to-date.”

Implementing tools and processes to get the relevant information to the right people is vital, as is a policy of reviewing reports regularly so upper management can get a better understanding of the situation.

“It’s similar to the issue with security logging,” Parkin said. “Security logs are considered a best practice, but few organizations take the crucial step of regularly reviewing the logs to find anomalies.”

Whose Vulnerabilities are They, Anyway?

The study also found a fifth of endpoints remain continuously unpatched, and Parkin suggested there are several reasons endpoints could be missed consistently, though a lack of resources is high on the list.

“In a lot of cases, there is also a disconnect between the security operations team who’ll identify the vulnerability and the IT team that’s tasked with fixing it,” he said. “This is another place where a vulnerability management platform can help bridge the communication gap.”

Walters added that, as the organization expands into new markets or introduces new products, IT security must put protective measures in place, which can be perceived by non-IT executives as adding unnecessary guardrails to the process.

“As a result, the IT security team may not receive the support it needs from the executive team to effectively communicate the importance of security measures and mitigate risks,” he cautioned.

He pointed out there is also a worldwide talent shortage and a lack of resources, which means there is not enough staff to implement sufficient vulnerability management strategies.

“Meanwhile, the attack surface is continuously growing,” he said. “As companies adopt more technologies, they increase their attack surface, which does not help reduce the number of vulnerabilities.”

A contributing factor to this is continuous digital transformation and the increased complexity of digital environments.

“The larger your technology stack, the larger your attack surface, and the more vulnerabilities you are likely to have,” Walters said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 244 posts and counting.See all posts by nathan-eddy