What does patching mean?
Patches are software updates, usually released to improve the performance or fix bugs and security vulnerabilities in software already installed on computers, IT systems and devices.
Software is far from perfect and glitches and vulnerabilities are readily exploited by hackers who use them to carry out cyber attacks, spread viruses, malware, ransomware and to create armies of botnets.
More sophisticated cyber attacks use unknown vulnerabilities – called zero-day exploits – but the majority rely on known vulnerabilities. Analysis suggests that zero-day vulnerabilities account for as little as 1% of vulnerabilities in Microsoft software.
In fact most exploits involve vulnerabilities that were patched more than a year ago. According to Fortinet’s recent Threat Landscape Report, 90% of organisations recorded exploits for vulnerabilities that were three or more years old. Some 60% of firms were still seeing attacks for vulnerabilities dating back 10 years or more.
Why does it matter?
The WannaCry and Petya ransomware attacks earlier this year demonstrate the extent to which not-patching can leave companies vulnerable. Both used known vulnerabilities to spread through networks and encrypt data, and despite the availability of a patch, the malware infected hundreds of thousands of computers.
More recently, the massive data breach at Equifax was said to be the result of an unpatched website vulnerability known as Apache Struts, first reported in March 2017.
Regular patching is known to be an effective form of defence against cyber attacks, and yet companies take on average 100 days or more to update their systems.
In an ideal world, every organisation would apply the latest security patches and updates to their IT systems as soon as they are released. But in reality there are many good reasons why companies do not keep software up-to-date, not least because of the complexity and interdependencies of software and the reliance on critical IT systems.
Installing patches can create more problems than they solve, and are known to have caused systems to crash catastrophically. In 2015, trading ceased on the New York Stock Exchange for nearly four hours after a technology upgrade went wrong, while a failed upgrade left thousands of banking customers unable to access their accounts at Australia-based St George’s Bank.
Keeping connected devices like industrial control systems updated can also be challenging, especially for older or legacy systems. According to Sans, only 46% of firms regularly apply vendor-validated patches to their industrial control systems. In some cases software will no longer be supported by vendors while patching is often unpractical.
Yet many cyber insurance policies contain wordings that exclude losses arising from a ‘failure to maintain’ systems and apply regular patches and updates. Given that updates may take time to install or would not be practical, this exclusion can be problematic.
In some instances it is possible to have a ‘failure to maintain’ exclusion deleted, but clients will need to provide underwriters with quality information on updating procedures. Insurers will want to see processes that ensure updates are applied in a timely manner, but that also prevent business interruption and usability issues.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org