Monthly IT Security Patch Alerts Will Leave Businesses Vulnerable, Warns NetSecure
NetSecure is warning businesses about the potential security risks with Microsoft’s latest proposal to release security patches on a monthly basis, rather than in real-time. NetSecure insists that with the recent Blaster worm hitting just 26 days after the vulnerability was first highlighted and the number of attacks over instant messaging and P2P systems quadrupling in the first six months of this year, a prompt patch management regime is absolutely critical if companies are to avoid serious security breaches such as hack attacks or virus infections. If Microsoft intends to address the patching process, as it claimed at its worldwide partner conference last week, then ironically, by moving to a 30-day scheme it is potentially leaving businesses vulnerable for 29 days every month or 353 days each year.
“Whilst the move to monthly security alerts goes some way to simplifying patch management approaches, it is at the expense of network security,” said Alan McGibbon, director of NetSecure. “Businesses need relevant real-time information to be completely secure. Any company with inadequate security policies, or those that keep putting off investing in security are asking for trouble.”
The vast majority of companies are still leaving the security of their networks and websites to chance, because they don’t have the in-house resources to adequately implement an effective patch management regime, or worse, choose to ignore the risks. Research conducted by Sophos* earlier this year revealed that many system administrators have not put in place a formal way of dealing with new security vulnerabilities, as they are discovered, and only 43 percent of respondents said they had signed up for Microsoft’s security vulnerability mailing list.
“Downtime is a costly business and yet many firms are still failing to take the proper precautions and invest in watertight security,” continued McGibbon. “Many businesses are simply not doing anything in the way of vulnerability testing and patching, despite there being no shortage of information – more often than not this is because they do not know where to start, rather than due to budgetary restraint.”