Missing Patches Place Security At Risk

Uploaded on 2021-05-31 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Cyber security is both a driver and a major barrier to public sector IT modernisation, according to new research from BAE Systems about cyber security concerns in the UK public sector. Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.

Software vendors are constantly publishing new patches to fix problems in software that they have sold. It's then up to the users of the software to apply the patches, or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place. 

BAe Systems surveyed 250 managers with IT responsibility in UK central governmental organisations, to better understand the interplay between security and digital transformation. 

The results have revealed that most (60%) UK government departments have digital transformation plans in place and that these have been accelerated in the majority of cases by the pandemic. Mitigating the risk of vulnerabilities was cited by three-quarters (75%) of respondents as the main reason for driving these legacy upgrades. This finding is supported by current experience. Nearly two-thirds (63%) of respondents said they suffered a security incident in the past six months and over half of these (52%) came as a result of missing patches. 

The mass exploitation of unpatched Microsoft Exchange Server bugs earlier this year is proof of the potentially disruptive impact of such threats.

Security was also cited by 68% of respondents as a barrier to upgrades, second only to integration issues (69%). According to BAe Systems findings, greater collaboration between IT and security and a recognition of the urgent need for security enhancements in certain areas can give projects a push. “The lack of integration between legacy IT and modern security solutions was the top data protection risk highlighted by respondents (53%), although “managing risk” came top in the NHS (55%) and “securing traffic flows” was the number one issue for public administration officials (61%)”.

Top of the priority list for IT decision makers in central government is simplifying their security architecture (45%) and reviewing current risk management strategies to ensure they have the right balance between security and productivity (45%), the report  concludes.

The 2017 WannaCry ransomware attack was a very clear example of what can go wrong when patches aren't applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organisations, notably, parts of the UK's National Health Service, had failed to use it.

BAe Systems:        Unified Guru:    Infosecurity Magazine:       NewZZ:      ZDNet:       Shop Center US

You Might Also Read:

Ignoring Software Updates:

 

« Managing A Remote Team To Protect Against Cyber Attacks
WEBINAR: How To Architect An Identity Management Strategy In AWS »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

GTB Technologies

GTB Technologies

GTB Technologies is a cyber security company that focuses on providing enterprise class data protection and data loss prevention solutions.

BeOne Development

BeOne Development

BeOne Development provide innovative training and learning solutions for information security and compliance.

Avansic

Avansic

Avansic is a leading provider of e-discovery and digital forensics services to attorneys, litigation support teams, and business communities.

Ziroh Labs

Ziroh Labs

Ziroh Labs leverages advanced cryptography to keep your highly sensitive, private data safe throughout the lifecycle of data.

Riddle&Code

Riddle&Code

Riddle&Code is a product-led services company specializing in onboarding industries to Web3. The team's mission is to provide a trusted connection between the digital and physical worlds.

HUB Security

HUB Security

Hub Security provide Ultra Secure, Military Grade HSM (Hardware Security Module) Solutions for Blockchain and Digital Assets.

Sectra Communications

Sectra Communications

Sectra successfully develops and sells cutting-edge solutions in the expanding niche segments of medical IT and cybersecurity.

Hazy

Hazy

Hazy specialises in financial services, helping some of the world’s top banks and insurance companies reduce compliance risk.

Netpoleon Group

Netpoleon Group

Netpoleon is a leading provider of integrated security, networking solutions and value added services.

European Cyber Competence Network

European Cyber Competence Network

The purpose of the European Cyber Competence Network is to retain and develop the cybersecurity technological and industrial capacities of the EU necessary to secure its Digital Single Market.

Elastio

Elastio

Elastio's cloud-native platform safeguards cloud data from the risks posed by ransomware, application failures and storage security vulnerabilities.

Security Awareness Special Interest Group (SASIG)

Security Awareness Special Interest Group (SASIG)

The Security Awareness Special Interest Group (SASIG) addresses the human aspects of security and fraud prevention in an initiative to improve trust and confidence in the online environment.

Silobreaker

Silobreaker

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.

AC3

AC3

AC3 is a leading secure cloud services provider, focused on turning your technology challenges into real results.