These software bugs are years old. But businesses still aren’t patching them
Almost two thirds of vulnerabilities on enterprise networks involve flaws which are over two years old which have not been patched, despite fixes being available. This lack of patching is putting businesses at risk of attacks which could often be easily avoided if security updates were applied.
Analysis by Bitdefender found that 64 percent of all reported unpatched vulnerabilities during the first half of 2020 involve known bugs dating from 2018 and previous years, which means organisations are at risk from flaws that somebody should have fixed a long time ago.
“The vast majority of organizations still have unpatched vulnerabilities that were identified anywhere between 2002 and 2018,” the report said.
Applying patches can be time-consuming, tedious and unrewarding work. But for cyber criminals, unpatched vulnerabilities provide a simple way to deploy cyber attacks and malware. But while businesses and users are encouraged to apply security patches to operating systems and software as soon as possible, the figures in Bitdefender’s 2020 Business Threat Landscape Report suggests that some organisations are still slow to apply them.
SEE: Security Awareness and Training policy (TechRepublic Premium)
“With organizations having most of their workforce remote, setting and deploying patching policies has never been more crucial. With six in 10 organizations having machines with unpatched vulnerabilities that are older than 2018, the risks of having those vulnerabilities exploited by threat actors are higher than ever,” the report warned.
In some cases, organisations don’t apply security patches because they fear it could have a negative impact on how they run their systems – and therefore run the risk of a cyber attack instead.
“Backward compatibility plays a vital role in deciding whether or not some applications should be patched. For example, patching or upgrading an application or service could break compatibility with other software that could be mission-critical for the organization. In this case, not patching could be less of a security decision but more of a business decision,” Liviu Arsene, global cybersecurity researcher at Bitdefender told ZDNet.
However, by having a good knowledge of what the network looks like and having a plan to apply patches organisations can go a long way to protecting themselves from falling victim to cyber attacks designed to take advantage if known vulnerabilities.
“Having a patching policy and roll out procedure in place is always the best solution for addressing known vulnerabilities,” said Arsene.
“Systems that are mission-critical but cannot be patched for backward compatibility or business continuity reasons should be isolated and access to them tightly regulated,” he added.
READ MORE ON CYBERSECURITY