The computer industry may have moved to more frequent software security updates – but the rest of the world still takes a month or longer to patch their networks.
That is one of the findings in a new report by enterprise network bods at Kollective. The biz spoke to 260 IT heads in the UK and US about their systems and security and uncovered some potentially eyebrow-raising facts.
More than a third of IT managers – 37 per cent – view the slow installation of software updates as the biggest security threat they face; more even than idiot end-users choosing bad passwords (33 per cent).
And that's for a good reason: the survey revealed that nearly half – 45 per cent – of large businesses (more than 100,000 terminals) take at least a month to patch their networks; just over a quarter – 27 per cent – take several months.
This is a security nightmare waiting to happen – as has been made clear just today with the announcement of a critical remote-execution bug in Apache Struts 2. Roughly a half of Fortune 100 companies use Struts for their web apps and Apache has warned to update networks immediately.
The last big hole in the framework saw exploits in the wild within 24 hours – and it was Equifax's failure to patch in time that led to its $600m data breach covering 150 million people.
But the reality on the ground, according to Kollective's survey, is that two-thirds of enterprises are not able to automate security updates, with 13 per cent confessing that they have given up on trying to create an automated system and instead rely on employees updating their own systems.
Big hacker opportunity
If Kollective is right, a terrifying 81 per cent of companies will not be able to apply the Struts patch within the one-day timeframe that Apache has "urgently advised." Just over a half – 52 per cent – say it will take a week.
Which of course leads to the question: Why? What causes the delay?
The most common answer was testing: Nearly 40 per cent of IT managers said the need to test first was the biggest cause of delay. Next up was a quarter of them warning that network scaling issues were to blame. Company policies were blamed by 12 per cent; followed by a lack of infrastructure and lastly bandwidth.
When it comes to question as to why sysadmins, most of whom are completely aware of the problem, don’t do more to fix things, the most common answer was budget.
While management is focused on artificial intelligence, machine learning and the cloud – and allocate increasing resources to each – the less-sexy but more important job of putting a content delivery network system in place to rapidly patch networks is not getting the attention it needs.
There may be a solution for IT managers running Windows though: Microsoft's Windows as a Service (WaaS) that it is rolling out for Windows 10 will automatically update your systems and, in theory, kill off a big part of the Patch Tuesday headache (incidentally, you can now buy 'Exploit Wednesday' T-shirts).
But the survey also reveals that for most, the Beast of Redmond is moving too fast for most IT managers – with 46 per cent of them saying that they have no plans to manage WaaS updates.
Worse, some warned that Microsoft's new habit of putting out more updates more regularly is actually amplifying the problem, with a backlog of updates building up each month.
But with support for Windows 7 ending in January 2020, companies are going to have to face the unpleasant reality of shifting to Windows 10 or paying hefty support fees.
Of course, this is where the company behind the survey - Kollective – comes in. If offers enterprise content delivery networks that would introduce more automation and faster testing, with a focus on Windows 10.
"Today's businesses are spending more than ever before on enhancing and improving their security systems. But, this investment is wasted if they aren’t keeping their systems up-to-date," said its CEO, Dan Vetras, adding: "Our research has found that many of the delays in software distribution aren’t because of testing, but rather a lack of infrastructure. Poorly constructed networks mean that, even those companies that have made a significant investment in security software, are still leaving their organizations vulnerable to attack."
Of course, Kollective thinks it has the answer – that's its business – but what do you think, Reg readers? Do the figures above reflect your reality? How long does it take you to update your networks? And what is your future solution to the constant nightmare of security updates? ®