Less than 50 percent of organizations can patch vulnerable systems swiftly enough to protect against critical threats and zero-day attacks, and 81 percent have suffered at least one data breach in the last two years, according to Automox.
The research surveyed 560 IT operations and security professionals at enterprises with between 500 and 25,000 employees, across more than 15 industries to benchmark the state of endpoint patching and hardening.
While most enterprises want to prioritize patching and endpoint hardening, they are inhibited by the pace of digital transformation and modern workforce evolution, citing difficulty in patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in SecOps and IT operations to successfully do so.
Missing patches and configurations are at the center of data breaches
The report confirmed that four out of five organizations have suffered at least one data breach in the last two years. When asked about the root causes, respondents placed phishing attacks (36%) at the top of the list, followed by:
- Missing operating systems patches (30%)
- Missing application patches (28%)
- Operating system misconfigurations (27%)
With missing patches and configurations cited more frequently than such high-profile issues as insider threats (26%), credential theft (22%), and brute force attacks (17%), three of the four most common issues can be addressed simply with better cyber hygiene.
Enterprises should patch within 24 hours
When critical vulnerabilities are discovered, cybercriminals can typically weaponize them within seven days. To ensure protection from the attacks that inevitably follow, security experts recommend that enterprises patch and harden all vulnerable systems within 72 hours.
Zero-day attacks, which emerge with no warning, pose an even greater challenge, and enterprises should aim to patch and harden vulnerable systems within 24 hours. Currently:
- Less than 50% of enterprises can meet the 72-hour standard and only about 20% can match the 24-hour threshold for zero-days.
- 59 percent agree that zero-day threats are a major issue for their organization because their processes and tools do not enable them to respond quickly enough.
- Only 39% strongly agree that their organizations can respond fast enough to critical and high severity vulnerabilities to remediate successfully.
- 15 percent of systems remained unpatched after 30 days.
- Almost 60% harden desktops, laptops and servers only monthly or annually, which is an invitation to adversaries.
With cyber hygiene, endpoints need to be scanned and assessed on a regular basis, and if problems are found, promptly patched or reconfigured. Automation dramatically speeds up cyber hygiene processes by enabling IT operations and SecOps staff to patch and harden more systems with less effort, while reducing the amount of system and application downtime needed for patching and hardening. Organizations that have fully automated endpoint patching and hardening are outperforming others in basic cyber hygiene tasks.
The modern workforce presents a cyber hygiene dilemma
Survey respondents are more confident in their ability to maintain cyber hygiene for on- premises computers and servers compared with remote and mobile systems such as servers on infrastructure as a Service (IaaS) cloud platforms, mobile devices (smartphones and tablets), and computers at remote locations. In fact, they rated their ability to maintain cyber hygiene for Bring Your Own Device (BYOD) lowest among all other IT components.
These patterns can be explained by the fact that most existing patch management tools don’t work well with cloud-based endpoints, and that virtual systems are very dynamic and therefore harder to monitor and protect than physical ones.
“Phishing has and will continue to be an issue for many organizations. As the Automox Cyber Hygiene Index highlights, 36% of data breaches involved phishing as the initial access technique used by attackers. Detecting phishing is extremely difficult, but giving your users the ability to report suspicious messages along with proper training goes a long way. You want your users to be part of your security team, and enabling them to report suspicious messages is one step towards this goal,” Josh Rickard, Swimlane Research Engineer, told Help Net Security.
“The combination of robust filtering and user enablement can drastically help with the detection of phishing attacks, but once they have been reported, you need automation to process and respond to them. More importantly, you need a platform that can automate and orchestrate across multiple tools and services. Using security, orchestration, automation and response (SOAR) for phishing alerts enables security teams to automatically process reported messages, make a determination based on multiple intelligence services/tools, respond by removing a message from a (or all) users mailboxes, and even search for additional messages with similar attributes throughout the organization. Having the ability to automate and orchestrate this response is critical for security teams and enables them to put their focus on other higher-value security-related issues,” Rickard concluded.