In the first quarter of 2017 alone, nearly 5,000 software and server vulnerabilities were reported. Many were found in software that state and local governments rely on for daily operations.
To avoid the kinds of cyber attacks that create headaches and headlines, government organizations need to update devices, servers, and other assets as soon as possible after a patch is released. If they don’t, they risk exposing citizen data, losing critical services, and violating compliance with internal and external regulations.
Although organizations can significantly reduce their attack surface by patching quickly, correctly, and across all assets, doing so can be complicated, time consuming, and error prone. By automating the patching process and following best practices, state and local governments can improve their security posture, save money, and free up time to meet mission goals such as improving citizen service.
Patching Challenges to Watch Out For
In an analysis of 600 local, state, and federal government organizations’ security posture, 90 percent of lower-performing state organizations scored an F in software patching cadence. Among local organizations, 50 percent of low performers received an F. State and local governments face the following challenges related to patching:
- Sophisticated attacks. Cyber attacks are increasingly stealthy and targeted, and government organizations are not immune. Destructive malware was used to wipe disks in both the Ukraine and Saudi Arabia recently — highlighting the fact that IT security is a national issue. Even criminals who are not tech savvy can gain access easily to attack tools.
- Vulnerabilities in legacy software. Government organizations often have legacy systems that are no longer supported by vendor software patches. These systems have been around for a long time, giving cyber criminals ample time to discover vulnerabilities. The recent WannaCry ransomware attack that hit hundreds of thousands of computers exploited known Microsoft Windows vulnerabilities and was so virulent that Microsoft made an exception and created a patch for computers it no longer supports.
- Visibility. Many organizations have thousands of devices that need to be discovered, tracked, and updated. Managing these assets, and the software running on them, is a challenge in today’s complex environment of extended enterprises, virtual machines, traditional (physical) software solutions, and disparate patching tools. Shadow IT adds another layer of complexity. One study found the average organization uses 928 cloud-based applications, even though most CIOs think their organization uses only 30 to 40.
- Third-party applications. Although many organizations use Microsoft System Center Configuration Manager (SCCM) to update patches, applying it to third-party software that Microsoft does not support requires manual work and testing. Organizations also sometimes forego patching virtual servers and other assets due to limited resources.
- Time-consuming manual processes. Manual patching processes can consume hundreds of hours every month and are prone to error. If a patch requires a system restart, staff time is stretched even further.
- IT policies. Some IT staff may avoid patching certain assets because patches can “break” things, involve extensive customization, aren’t always compatible with other applications running on legacy systems, introduce new security problems or add unwanted “bonus” features by default. Despite the critical data held in SAP applications, for example, the average time to patch vulnerabilities after SAP releases a fix is more than six months.