Companies face inefficiencies, logjams in patching vulnerabilities

Infinite Computer Data

One of the most important jobs of any IT pro is keeping systems up to date. But with so many applications and services in use across the organization, that can be a haphazard process – one that leaves key vulnerabilities for attackers to exploit. 

According to some surveys, organizations have as many as 300-400 apps (shadow IT can leave even more you may not be aware of). So it’s no surprise that keeping those apps patched and up to date can be a full-time job unto itself.

The problem: The ways companies do this aren’t always all that efficient or even effective.

Scanning for vulnerabilities

According to Nopsec’s 2016 Outlook: Vulnerability Risk Management and Remediation Trends report, 70% of organizations scan their systems for known vulnerabilities at least weekly.

But the problem is that these scans aren’t always able to provide the information they need in order to stay safe. According to the report, the top barriers to getting the most from scanned data included:

  • Data overload (51%). With so much information, it’s hard to prioritize patching efforts.
  • Lack of resources (46%). Manual processes can be inefficient and slow down acting on good data intelligence.
  • Bad data (34%). False positives or missing data can make the process inefficient.
  • Lack of budget (33%). Even if companies discover inefficiencies, they may not have the money to address those.
  • Lack of context (21%). Companies don’t often know how serious the problems they discover are or are not.
  • Lack of relevancy (16%). Even if vulnerabilities are found, companies may not have any particular insight into what it means to them.

Prioritizing trouble

Another serious vulnerability-management issue: Many companies aren’t sure of the best way to prioritize handling vulnerability management.

According to the survey:

  • 31% use commercial tools to automate the prioritization of security vulnerabilities
  • 43% use at least some of the CVSS scoring system to prioritize, and
  • 24% don’t actually know how they prioritize vulnerabilities.

That was a bit of a common theme, in fact, with 60% of respondents saying management is somewhat or not at all informed about risks from security threats.

Come up with a system

Regardless of how you choose to handle vulnerability management, the important thing is to have a system and stick to it.

Some ideas:

  • Prioritize high-risk data and high-risk apps. These are the ones you must be up to date with most.
  • Set time aside for testing. Even if vulnerabilities are discovered, chances are they won’t be able to be addressed immediately. Allow schedules for how long you will take to test fixes before making them.
  • Determine frequency of scans. Scanning often could catch more vulnerabilities, but it could also lead to more false positives that waste time and resources. Set a schedule that makes sense for the level of staff you can devote to them.
  • Designate roles. Make sure techs on your team know which programs they’ll be responsible for diagnosing and patching.