Skip to content

5 Reasons You’re Not Patching (Yet)

Ask any IT manager about their greatest challenges, and patching will undoubtedly earn a spot at the top of the list. Keeping up with the constant need for new patches is difficult – which is why many companies end up falling behind.

And yet, a shocking number of security breaches are directly linked to vulnerabilities that could have been patched, but simply weren’t. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) conducted a global advisory meeting to provide critical information on the top 15 Common Vulnerabilities and Exposures (CVEs) of 2021, and the results say it all. It’s extremely common for malicious cyber actors to target publicly-known software vulnerabilities, many of which have been exploited for years. According to CISA, this highlights the “…continued risk to organizations that fail to patch software in a timely manner.”

In other words, it’s a serious problem that’s only getting worse.

So, why aren’t companies making patching a top priority?

All too often, the answer comes down to a lack of time or resources. And for many organizations, there is a complicated sense of hesitation associated with patching.

Of course, this doesn’t mean that your IT team doesn’t value effective cybersecurity measures. Maintaining security is consistently named as a major concern for IT teams; it just seems that patching tends to fall by the wayside for one reason or another.

There are five common reasons your organization might not be up-to-date with patching:

  1. It’s become too difficult and time-consuming to keep up with the exorbitant number of patches needed.
  2. Your team is lacking the necessary resources to stay on top of patching.
  3. There are certain applications that cannot be patched internally.
  4. There is resistance among end users.
  5. There is a potential risk of bringing the network down and causing additional problems.

Each one of these is a valid concern, creating a series of obstacles for IT teams that are well-aware of the importance of patching.

The sheer number of patches is nearly impossible to keep up with.

The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA’s) catalog of known exploited vulnerabilities reveals 700-plus existing gaps in security – and those are just the ones from the past several months. For teams that have already fallen behind with patching, seeing new vulnerabilities constantly announced is incredibly discouraging.

Even if your organization is successfully managing OS patching, it’s not unlikely that third-party application vulnerabilities are stacking up as we speak. And with most users employing just as many third-party applications as OS applications, that’s an alarming number of security gaps on every endpoint.

Operationally, there aren’t enough resources to get the job done.

Next, the actual process (or rather, processes) for patching is usually incredibly inefficient. Many organizations handle patching either manually or through individual vendor-supplied solutions. This means that there could very well be a different process for every single application, from Microsoft and Adobe to Java and various browsers. It’s an approach that is far from efficient, and on-premise solutions are often not an option.

And that’s not all. Patching is a highly specialized skill that requires a detailed understanding of network dependencies, particularly as we continue to use more applications in the cloud. As a result, many IT teams simply don’t have the necessary training and education to effectively give patching the necessary attention.

In many cases, internal patching just isn’t an option.

Even if your organization does have the time and workforce for patching, there are many situations in which your team still can’t tackle the task. Many organizations rely on legacy software that is no longer supported by its manufacturers, so there are not patches available. Additionally, there are security appliances that only the vendor can patch – internal patching isn’t even possible.

Regardless of the reason, there’s no shortage of scenarios that result in your team coming up short.

End users often (unintentionally) create major hurdles.

For many end users, security isn’t something they think about regularly. Typically, their primary focus is the work they need to get done in a timely manner. So, being asked to reboot their device to install updates is viewed as an inconvenience, one that they often put off for weeks or months at a time.

Not only that, many end users have admin rights that allow them to alter settings and install new software. This makes it nearly impossible for an IT team to know what applications even exist on a given device, creating even more issues with system compliance.

Perhaps most commonly, the biggest obstacle to patching is fear.

Anytime a patch is applied, an application must be stopped and restarted. There are also many patches that require a full system reboot. Even though a patch may be critical, there is a certain risk that applying it could cause a serious problem, such as:

  • The application stops working
  • The device locks
  • Other applications encounter problems

Thanks to cloud-based applications, intricate system interdependencies, and other factors, the software stacks we use today are more complex than ever. One seemingly minor action can set off a domino effect that could halt an entire organization’s day-to-day operations, which is a risk many IT teams don’t want to take.

In reality, it’s relatively uncommon for a patch will result in operational issues. But it’s understandable that the possibility can create a certain lack of trust in the patching process.

Regardless, consistent patching is essential to your organization’s security.

Even with the difficulties that patching may present, there’s no question that the risk of not patching is far more serious. Ultimately, the best way to keep your organization truly safe is to make sure that each and every vulnerability is properly covered – and that requires a smart, effective approach to patch management.

Depending on your needs, you may find it worthwhile to consider a firm that provides Patch Management as a Service (PMaaS). For many organizations, delegating the task to a professional ends up being the right decision.

As always, feel free to contact us anytime – we’re always happy to help.


Meet the Author
Mike Dillon is Quest's Chief Technology Officer.
Contact Quest Today  ˄
close slider