Skip to main content

Why enterprise patch management pains are cybercriminals’ gain

An image of a red computer screen with the words RANSOM written on it.
Image Credit: Suebsiri Srithanyarat / EyeEm

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Enterprises that procrastinate about implementing software patch management give cybercriminals more time to weaponize new endpoint attack strategies.

A clear majority (71%) of IT and security professionals see patching as overly complex, cumbersome, and time-consuming. In addition, 57% of those same professionals say remote work and decentralized workspaces make a challenging task even more difficult. Sixty-two percent admit that patch management takes a backseat to other tasks; device inventory and manually based approaches to patch management aren’t keeping up.

IT integrator Ivanti’s report on patch management challenges, published on October 7, provides new insights into the growing number of vulnerabilities enterprises face by dragging their feet about improving patch management. Most troubling is how cybercriminals try to capitalize on these patch management weaknesses at the endpoint level by weaponizing vulnerabilities, especially those with remote code execution and quick-hit ransomware attacks.

Ivanti surveyed more than 500 enterprise IT and security professionals across North America, Europe, the Middle East, and Africa. The results are startling in why and how often patches get pushed back, leaving enterprises more vulnerable to breaches.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

The high cost of slow patch management

The survey found that 14% of the enterprises interviewed (70 of 500) have experienced a financial hit worth between $100,000 to more than $1 million to their businesses in the last 12 months that could have been avoided with better patch management. The Institute for Security and Technology found that victims forced to pay a ransom increased more than 300% from 2019 to 2020. According to its Internet Crime Report, the FBI found that the collective cost of the ransomware attacks reported to the bureau in 2020 amounted to about $29.1 million, up more than 200% from $8.9 million the year before. The White House recently released a memo encouraging organizations to use a risk-based assessment strategy to drive patch management and bolster cybersecurity against ransomware attacks.

Not getting patching right can have disastrous consequences, as the WannaCry ransomware attack demonstrated. This was a worldwide cyberattack surfacing in May 2017 that targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

With more than 200,000 devices encrypted in 150 countries, WannaCry provides a stark reminder of why patch management needs to be a high priority. A patch for the vulnerability exploited by the ransomware had existed for several months before the initial attack, yet many organizations failed to implement it. As a result, enterprises still fall victim to WannaCry ransomware attacks today. There was a 53% increase in the number of organizations affected by WannaCry ransomware from January to March 2021.

Often, the line-of-business owners across an enterprise pressure IT and security teams to put off urgent patches because their systems can’t be brought down without any impact on revenue. Sixty-one percent of IT and security professionals say that business owners ask for exceptions or push back maintenance windows once a quarter because their systems cannot be brought down. In addition, 60% said that patching causes workflow disruption to users. While enterprises slow the pace of patch deployments, cybercriminals accelerate vulnerability weaponization efforts.

Enterprises struggle to control new cyberattacks

Many IT and security teams are now stretched thin and struggle to control the many new attack surface risks their enterprises face. Ivanti’s survey shows that IT and security teams aren’t able to respond quickly enough to avert breaches. For example, 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time, followed by issuing resolutions for failed patches (19%), testing patches (15%), and coordinating with other departments (10%).

The myriad challenges that IT and security teams face regarding patching may be why 49% of IT and security professionals believe their company’s current patch management protocols fail to mitigate risk effectively.

Like enterprises, cybercriminals recruit new talent to help devise new approaches to weaponizing vulnerability techniques they see working. That’s why enterprises must define a patch management strategy that scales beyond device inventory and manually based approaches that take too much time to get right. With ransomware having a record year, enterprises need to find new ways to automate patch management at scale now.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.