Security company Bromium has released research which claims companies are struggling to maintain emergency patch cycles, “despite the fact enterprise reliance on legacy systems often mean emergency patches are an everyday fact of life,” said a press release from the company.
According to the researcher's press release, “53 percent of CISOs say crisis patch management is a major disruption to their IT and security teams, which happens ‘on average five times per month, with each crisis patch taking an average of 13 man-hours to fix'”.
The release said, “53 percent of businesses have had to pay overtime, or bring in a third party issues response team, to issue patches or fire-fight a security issue in the past year, at a cost of £15,426.58 per patch.”
“This issue is compounded by the fact many enterprises are still tied to legacy systems,” it said.
According to Statcounter, the most popular version of Microsoft's operating system offering, Windows 7,accounts for 46 percent of Windows computers infected by WannaCry.
There are multiples of reasons as to why people don't upgrade. Bromium quotes research which says 40 percent of enterprise software “is paid for but sits unused”, and more often than not it's down to the upgrade being “costly, complex, disruptive and in some instances, unachievable, due to application dependencies.”
Bromium's Simon Crosby, CTO and co-founder of the firm, said, “We can see with the recent WannaCry outbreak – where an emergency patch was issued to stop the spread of the worm – that enterprises are still having to paper over the cracks in order to secure their systems.”Crosby added: “The fact that these patches have to be issued right away can be hugely disruptive to security teams, and often very costly to businesses, but not doing so can have dire consequences. WannaCry certainly isn't an isolated case and as ransomware and polymorphic malware become increasingly sophisticated and difficult to defend against, we are going to see many more emergency patches become a crisis – although, sadly, they will often be too late.”