Missing Patches Place Security At Risk

Cyber security is both a driver and a major barrier to public sector IT modernisation, according to new research from BAE Systems about cyber security concerns in the UK public sector. Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.

Software vendors are constantly publishing new patches to fix problems in software that they have sold. It's then up to the users of the software to apply the patches, or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place. 

BAe Systems surveyed 250 managers with IT responsibility in UK central governmental organisations, to better understand the interplay between security and digital transformation. 

The results have revealed that most (60%) UK government departments have digital transformation plans in place and that these have been accelerated in the majority of cases by the pandemic. Mitigating the risk of vulnerabilities was cited by three-quarters (75%) of respondents as the main reason for driving these legacy upgrades. This finding is supported by current experience. Nearly two-thirds (63%) of respondents said they suffered a security incident in the past six months and over half of these (52%) came as a result of missing patches. 

The mass exploitation of unpatched Microsoft Exchange Server bugs earlier this year is proof of the potentially disruptive impact of such threats.

Security was also cited by 68% of respondents as a barrier to upgrades, second only to integration issues (69%). According to BAe Systems findings, greater collaboration between IT and security and a recognition of the urgent need for security enhancements in certain areas can give projects a push. “The lack of integration between legacy IT and modern security solutions was the top data protection risk highlighted by respondents (53%), although “managing risk” came top in the NHS (55%) and “securing traffic flows” was the number one issue for public administration officials (61%)”.

Top of the priority list for IT decision makers in central government is simplifying their security architecture (45%) and reviewing current risk management strategies to ensure they have the right balance between security and productivity (45%), the report  concludes.

The 2017 WannaCry ransomware attack was a very clear example of what can go wrong when patches aren't applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organisations, notably, parts of the UK's National Health Service, had failed to use it.

BAe Systems:        Unified Guru:    Infosecurity Magazine:       NewZZ:      ZDNet:       Shop Center US

You Might Also Read:

Ignoring Software Updates:

 

« Managing A Remote Team To Protect Against Cyber Attacks
WEBINAR: How To Architect An Identity Management Strategy In AWS »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Secure Identity Alliance (SIA)

Secure Identity Alliance (SIA)

The Secure Identity Alliance is dedicated to supporting sustainable worldwide economic growth and prosperity through the development of trusted digital identities and the adoption of secure eServices.

IBackup

IBackup

IBackup is a Web Based Online Backup service provider.

CERT-UG/CC

CERT-UG/CC

CERT-UG/CC is the national Computer Emergency Response Team for Uganda, operating under the National Information Technology Authority (NITA-U)

Digital Infrastructure Association (DINL)

Digital Infrastructure Association (DINL)

DINL is the leading representative for companies and organisations which are active within the Dutch digital infrastructure sector.

Athena Dynamics

Athena Dynamics

Athena Dynamics focuses on Cyber Security, especially in Critical Information Infra-structure Protection and Enterprise IT Operation Management products and Services.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

Wolf Hill Group

Wolf Hill Group

Wolf Hill Group, a Slone Partners company, is a national recruitment firm focused on Cybersecurity.

SOSA

SOSA

SOSA facilitates new growth opportunities by connecting the dots between industry verticals and innovation ecosystems around the world.

FireCompass

FireCompass

FireCompass SAAS platform helps CISOs & Security Teams in continuous risk assessment by mapping your attack surface and knowing the “unknown unknowns”.

Adit Ventures

Adit Ventures

Adit Ventures is a venture capital firm with a focus on dynamic growth sectors including AI & Machine Learning, Big Data, Cybersecurity and IoT.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

Information Systems Security Association (ISSA)

Information Systems Security Association (ISSA)

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

Spera Security

Spera Security

Spera helps identity security professionals effectively and confidently measure, prioritize and reduce identity risk to better protect the organization from identity-based attacks.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

HIFENCE

HIFENCE

HIFENCE delivers cybersecurity and networking services that make your company safer and more secure. That’s all we do, so you can concentrate on all the things that you do best.