Missing Patches Place Security At Risk

Uploaded on 2021-05-31 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Cyber security is both a driver and a major barrier to public sector IT modernisation, according to new research from BAE Systems about cyber security concerns in the UK public sector. Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.

Software vendors are constantly publishing new patches to fix problems in software that they have sold. It's then up to the users of the software to apply the patches, or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place. 

BAe Systems surveyed 250 managers with IT responsibility in UK central governmental organisations, to better understand the interplay between security and digital transformation. 

The results have revealed that most (60%) UK government departments have digital transformation plans in place and that these have been accelerated in the majority of cases by the pandemic. Mitigating the risk of vulnerabilities was cited by three-quarters (75%) of respondents as the main reason for driving these legacy upgrades. This finding is supported by current experience. Nearly two-thirds (63%) of respondents said they suffered a security incident in the past six months and over half of these (52%) came as a result of missing patches. 

The mass exploitation of unpatched Microsoft Exchange Server bugs earlier this year is proof of the potentially disruptive impact of such threats.

Security was also cited by 68% of respondents as a barrier to upgrades, second only to integration issues (69%). According to BAe Systems findings, greater collaboration between IT and security and a recognition of the urgent need for security enhancements in certain areas can give projects a push. “The lack of integration between legacy IT and modern security solutions was the top data protection risk highlighted by respondents (53%), although “managing risk” came top in the NHS (55%) and “securing traffic flows” was the number one issue for public administration officials (61%)”.

Top of the priority list for IT decision makers in central government is simplifying their security architecture (45%) and reviewing current risk management strategies to ensure they have the right balance between security and productivity (45%), the report  concludes.

The 2017 WannaCry ransomware attack was a very clear example of what can go wrong when patches aren't applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organisations, notably, parts of the UK's National Health Service, had failed to use it.

BAe Systems:        Unified Guru:    Infosecurity Magazine:       NewZZ:      ZDNet:       Shop Center US

You Might Also Read:

Ignoring Software Updates:

 

« Managing A Remote Team To Protect Against Cyber Attacks
WEBINAR: How To Architect An Identity Management Strategy In AWS »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Marsh

Marsh

Marsh is a global leader in insurance broking and risk management and has been a leader in combatting cyber threats since their emergence.

Certes

Certes

Certes is a pioneer in delivering cutting-edge security technology solutions, with a specific focus on Data Protection Risk Mitigation (DPRM).

Morphisec

Morphisec

Morphisec's world leading prevention-first software stops ransomware and other advanced attacks from endpoint to the cloud.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

Trapmine

Trapmine

TRAPMINE is an innovative cybersecurity products company mainly focusing on protecting organizations from Advanced Persistent Threat & Zero-Day attacks.

Perch Security

Perch Security

Perch is a co-managed threat detection and response platform backed by an in-house Security Operations Center (SOC).

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers is a multinational professional services network of firms headquartered in London, United Kingdom and operating in 157 countries.

Immuta

Immuta

Immuta empowers data engineering and operations teams to automate data governance, security, access control & privacy protection.

Sontiq

Sontiq

Sontiq is committed to providing best-in-class, highly scalable, award-winning identity security solutions to consumers, businesses and government agencies.

UnderDefense

UnderDefense

UnderDefense provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats.

Accops Systems

Accops Systems

Accops enables secure and instant remote access to business applications from any device and network, ensuring compliant enterprise mobility.

Zyston

Zyston

Zyston's solutions provide end-to-end management of your cybersecurity needs. Our range of services help protect your business where it needs it the most.

Evervault

Evervault

Evervault provides engineers easy solutions to complex data security and compliance problems.

Baselime

Baselime

Baselime, the cloud-native observability platform. Resolve issues in your cloud application before they become problems.

Clango

Clango

Clango employs an identity-centric approach to optimizing your cybersecurity investment while minimizing risk.

PowerDMARC

PowerDMARC

PowerDMARC is a domain security and email authentication SaaS platform that helps organizations protect their domain name, brand, and emails against unauthorized use.