Not patching critical vulnerabilities is an open invitation to exploit them. Cyber criminals will accept that invitation!
Our study The Human Element in Cybersecurity shows that abandoned technology is by far the largest root cause of cybersecurity incidents. And a significant part of abandoned technology is unpatched vulnerabilities. Vulnerabilities in applications, firmware, operating systems, drivers, etc., for which patches are available but not installed.
When interviewing the responsible leaders of these organizations we hear a lot of explanations why they postpone distribution of critical patches, and even why they completely abandon technology that is still in use and connected to the infrastructure. Some of these explanations appear to be based on common myths, like for example “waiting for proven stability because there are many issues with untested patches”. And there is of course always the good old “the device is behind a firewall so there is no risk”. What all these explanations have in common is that they are invalid and expose the organizations, their suppliers, and their customers to inacceptable cyber risks!
The rules are very simple:
- As long as you operate technology you must manage technology and ensure timely distribution of patches.
- In case you question stability of patches you create a test environment in which patches are tested in a timely manner.
- When you are no longer able to distribute patches, for example because the technology passed its supported lifecycle, you stop using it and remove it from the infrastructure.
Not patching critical vulnerabilities is an open invitation to exploit them. Cyber criminals will accept that invitation!
Dr. ir Johannes Drooghaag – CEO Spearhead Management