Organizations, already knee-deep protecting the data in laptops are patching critical vulnerabilities in the mobile devices too slowly, a new study has suggested.
The findings, released Monday by analyst firm Trusted Strategies and patch management provider Shavlik Technologies, revealed that companies largely lack automated solutions to track down vulnerable laptops and apply the necessary patches.
Of the 150 U.S.-based IT security professionals who responded, almost half said it takes more than six days to patch critical flaws on laptops at their company. Meanwhile, 77.4 percent of critical server bugs and 70 percent of critical desktop vulnerabilities are patched within six days.
Just over 60 percent of respondents said laptops pose the greatest threat to "maintaining a secure posture."
"Organizations are deploying laptops at a larger pace and putting more critical information on them," Bill Bosen, partner at Trusted Strategies, told SCMagazine.com today. "You've got all this data, but the data is at risk because (laptops) may go several days without being connected to the company's network (to be patched)."
Bosen said laptops often miss scheduled patches because either the owner is traveling or he or she uses the machine as a secondary device and rarely plugs it into the network. But this spells risk in a landscape dominated by increasing zero-day exploits that could load infectious malware onto an unpatched machine.
"Once a vendor releases its patch, the timeframe to deploy the patch across the network must be extremely short, as knowledge of how to exploit the vulnerability rises exponentially once a patch is published," said Mark Shavlik, Shavlik CEO. "Best practices therefore dictate available patches be deployed within 36 hours or less, to every machine on the network, especially to those distributed and mobile endpoints that are the most vulnerable."
Bosen said that if organizations cannot immediately get to a laptop for patching, they should monitor it until it gets connected to the network.
Click here to email Dan Kaplan.