Most IT Bosses Hold Off Critical Patches To Keep Business Operational – Study

malware blocked stop

Patchy patching. Tanium’s study reveals the scale of security compromises made by IT departnments, just to keep businesses running

New research from endpoint security specialist Tanium has revealed the worrying security compromises that most IT bosses have to make in keep business systems operational.

The ‘Resilience Gap Study’ from Tanium found that the vast majority of IT teams opt to hold off installing important security updates or patches.

This is despite repeated advice from security experts that consumers and businesses need to apply fixes and patches to their systems and devices, as soon as possible.

malware

Patchy patching

But sadly this doesn’t seem to happen in real life.

In February for example, penetration testers at London-based Positive Technologies were able to breach 92 percent of their corporate clients due to well-known security flaws that had not been patched.

And now Tanium’s research of 500 CIOs and CISOs across the US, UK, Germany, France and Japan, has confirmed the scale of the trade-offs between security and keeping IT and business operations going.

The Tanium study found that 95 percent of CIOs and CISOs in the UK admit they make compromises in how they protect the business against cyber threats and other disruptions.

There are varied reasons for this.

35 percent of respondents cited pressure to keep the lights on, whilst almost a third (31 percent) suggested they were hamstrung by legacy IT commitments, which restricts their security efforts.

And nearly a third (30 percent) said that a focus on implementing new systems takes precedence over protecting existing business assets, and over a quarter (28 percent) stressed that inconsistent and incomplete datasets was a key driver.

And if that was wasn’t bad enough, the study also had another alarming stat, after 84 percent said they had refrained from adopting an important security update or patch because they were worried about the impact on the wider business.

In fact, over two fifths (41 percent) said they had held off applying a patch on more than one occasion.

And when patches are deployed, sometimes there are gaps, as the study found that more than eight out of ten (83 percent) said they have found a critical update or patch they thought had been deployed, had not actually updated all devices, leaving the business exposed.

IT pressures

Matters are not helped by the fact that many organisations lack of visibility across their endpoints (i.e laptops, servers, virtual machines, containers, or cloud infrastructure).

This lack of visibility is stopping IT teams from making confident decisions, operating efficiently, and remaining resilient against disruptions, said Tanium.

This is evidenced when the study found that over a quarter (28 percent) of UK respondents said that departments and business leaders work in silos.

“As leaders, CIOs and CISOs face multifaceted pressures across the business to remain resilient against disruption and cyber threats,” explained Matt Ellard, MD at Tanium.

“They must maintain compliance with an evolving set of regulatory standards, track and secure sensitive data across computing devices, manage a dynamic inventory of physical and cloud-based assets, all while fulfilling an increasingly common executive mandate to make technology an enabler for business growth,” said Ellard.

“But in fragmented environments, where organisations use a range of point products for IT security and operations, there are regular compromises taking place among these priorities,” he warned. “Our research shows that a new approach is needed to achieve visibility and control of distributed, dynamic IT environments.”

The dangers of not applying updates or patches are well known.

In 2017 for example it was revealed that one of Scotland’s largest health boards had failed to ensure that its IT systems were fully patched with a vital security update, which left it vulnerable to a widespread cyber attack.

NHS Lanarkshire had been one worst-hit health authorities in Scotland when the WannaCry ransomware wrecked havoc across the UK (and indeed the world) starting on May 2017.

Do you know all about security? Try our quiz!