In a recent security survey carried out by McAfee, there were a number of key findings that suggest that the UK and the rest of Europe continue to struggle with systems release updates, and in particular with the updating and deployment of patch management releases. Key findings included:
* 45% of respondents said that their IT infrastructure is never 100% protected from vulnerabilities.
* More than a quarter (27%) agreed that it takes 48 hours or more from the time a patch is issued to the time that the IT infrastructure is fully protected.
* About one in five admitted that it takes up to a week to roll out new patches.
* Over a third had no idea about how many patches they apply to their business systems in any given six-month period.
* 58% of IT professionals questioned had no idea about how much the deployment of patches is costing their businesses.
* Finally 45% of those questioned do not prioritize which areas of the business are patched first.
As we all should be aware, systems vulnerabilities do not go away when Microsoft, Oracle, or IBM etc. release a systems patch. A secondary window of opportunity exists for the period of time that it takes to fully deploy each patch.
Therefore, if this laidback and somewhat dilatory approach to self-help was not bad enough, the survey also had a number of other salient findings to impart. These included the fact that, while we, as end-users, are prepared to leave patches in abeyance until a more convenient time, the actual window of vulnerability has shrunk to the extent that attacks can now take place on the same day the vulnerability is announced.
In addition, the range of threat opportunities continues to increase and now takes in delivery models that include spyware, phishing, pharming, instant messaging (IM) and peer-to-peer (P2P), and an ever increasing number of mobile channels.
However, with such a high proportion of European businesses reporting that patch management deployments can take a week or more, it was somewhat gratifying to hear that 35% of Spanish businesses are able to fully protect their networks within one hour of patch receipt. France was reported to be the most inefficient amongst the European markets questioned with 39% of businesses taking over 48 hours to deploy patches and 27% admitting to over a week. Businesses in the UK were not that much better – the respective figures were 30% taking over 48 hours and 22% over one week.
‘Must try harder’ would seem to be the overriding theme of this latest report on patch management performance, and it would not be unfitting to add that only when such efforts equate to significantly reduced patch deployment timescales will end users have earned the right to complain further about software vendor performance.
Source: OpinionWire by Butler Group (www.butlergroup.com)