Missing Patches Place Security At Risk

Cyber security is both a driver and a major barrier to public sector IT modernisation, according to new research from BAE Systems about cyber security concerns in the UK public sector. Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.

Software vendors are constantly publishing new patches to fix problems in software that they have sold. It's then up to the users of the software to apply the patches, or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place. 

BAe Systems surveyed 250 managers with IT responsibility in UK central governmental organisations, to better understand the interplay between security and digital transformation. 

The results have revealed that most (60%) UK government departments have digital transformation plans in place and that these have been accelerated in the majority of cases by the pandemic. Mitigating the risk of vulnerabilities was cited by three-quarters (75%) of respondents as the main reason for driving these legacy upgrades. This finding is supported by current experience. Nearly two-thirds (63%) of respondents said they suffered a security incident in the past six months and over half of these (52%) came as a result of missing patches. 

The mass exploitation of unpatched Microsoft Exchange Server bugs earlier this year is proof of the potentially disruptive impact of such threats.

Security was also cited by 68% of respondents as a barrier to upgrades, second only to integration issues (69%). According to BAe Systems findings, greater collaboration between IT and security and a recognition of the urgent need for security enhancements in certain areas can give projects a push. “The lack of integration between legacy IT and modern security solutions was the top data protection risk highlighted by respondents (53%), although “managing risk” came top in the NHS (55%) and “securing traffic flows” was the number one issue for public administration officials (61%)”.

Top of the priority list for IT decision makers in central government is simplifying their security architecture (45%) and reviewing current risk management strategies to ensure they have the right balance between security and productivity (45%), the report  concludes.

The 2017 WannaCry ransomware attack was a very clear example of what can go wrong when patches aren't applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organisations, notably, parts of the UK's National Health Service, had failed to use it.

BAe Systems:        Unified Guru:    Infosecurity Magazine:       NewZZ:      ZDNet:       Shop Center US

You Might Also Read:

Ignoring Software Updates:

 

« Managing A Remote Team To Protect Against Cyber Attacks
WEBINAR: How To Architect An Identity Management Strategy In AWS »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Magic Software Enterprises

Magic Software Enterprises

Magic provide Mobile Device Management (MDM) for Secure Enterprise Mobility. Magic MDM overcomes the challenges of mobile device management security by protecting all of your devices, data and content

Giesecke+Devrient (G+D)

Giesecke+Devrient (G+D)

Giesecke+Devrient develop security technologies in four major areas: enabling secure payment, providing trusted connectivity, safeguarding identities and protecting digital infrastructures.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Cyber Defense Labs

Cyber Defense Labs

Cyber Defense Labs helps companies identify, mitigate and reduce risk as a trusted, reliable partner for cyber risk management.

Horangi

Horangi

Horangi provides security products and services that enable the rapid delivery of Incident Response and threat detection for our customers who lack the scale, expertise, or time to do it themselves.

Living Security

Living Security

Living Security specializes in metric driven and engaging security awareness solutions that reduce risk by increasing security culture and changing employee behaviour.

TeraByte

TeraByte

TeraByte is an information security company which helps to educate and protect businesses from cyber security related risks.

CertiK

CertiK

CertiK uses rigorous Formal Verification technology to provide hacker-resistant smart contract and blockchain audits, thorough penetration testing, and customized security integrations.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

National Cryptologic Foundation (NCF)

National Cryptologic Foundation (NCF)

The National Cryptologic Foundation strives to influence the cryptologic future by sharing our educational resources, stimulating new knowledge, and commemorating our heritage.

Valeo Nertworks

Valeo Nertworks

Valeo Nertworks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.

Flotek

Flotek

Flotek is an IT & Comms service provider delivering SMEs with trusted, innovative and cost effective cloud technology, with confidence, clarity and clout.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.

Logiq Consulting

Logiq Consulting

Logiq Consulting provide a full range of Cyber Security, Information Assurance and System Engineering services.

BluTinuity

BluTinuity

BluTinuity is a premier management consulting firm with a passion for information security, business continuity, incident response, disaster recovery, and HIPAA security.

IndoSec

IndoSec

IndoSec is an annual cybersecurity summit that powers an in-person gathering of cybersecurity leaders from Indonesia’s major corporations, leading businesses and key government entities.