A Trustwave study found that 58 percent of businesses do not have a fully mature patch management process in place and 12 percent do not have one at all.
A Trustwave study found that 58 percent of businesses do not have a fully mature patch management process in place and 12 percent do not have one at all.

Although major vulnerabilities, such as Heartbleed and ShellShock, were discovered this year, and data breaches dominated headlines, IT security professionals are continuing to delay the creation of thorough security plans and patching schedules, a new study found.

Sixty-three percent of businesses do not have a fully mature method to control and track sensitive data, and 19 percent do not have one at all, according to Trustwave's “2014 State of Risk Report.”  

“If you can't adapt by what's important, then you can't protect,” said Phil Smith, senior vice president of Government Solutions and Special Investigations, TrustWave, in a Friday interview with SCMagazine.com. “The inability to detect and protect that data is critical. If you don't understand where the data is, then you might not take appropriate measures to investigate it (after an incident).”

Furthermore, 58 percent of businesses do not have a fully mature patch management process in place and 12 percent do not have one at all.

The failure to consistently schedule patches might not necessarily be an oversight, Smith said. Rather, it could be the result of the pressures placed on IT security professionals and their already busy days. Between keeping email systems online and ensuring that applications are running properly, patching could fall to the bottom of the to-do list.

“It's a process and is something that sounds like it should be easily done, but once you start losing your IT staff to attrition, you're going to start losing continuity in processes,” he said.

The study also found that 21 percent of businesses do not have incident response procedures in place and 20 percent do not have a process that enables the reporting of security incidents. Additionally, 45 percent of business have board- or senior-level management who take only a partial role in security matters. Nine percent do not partake at all.

Smith expressed the most concern over the latter point most concerning and stressed that IT security professionals need to educate executives on IT security issues.

"If they are able to bring someone on the executive team into incident response, it goes a long way on educating people on what some of the risks are," he said. "That's a really critical component for IT security folks."

More than 400 IT and security professionals were interviewed for the report. Most were based in the U.S., the United Kingdom and the United Arab Emirates; however, more than 50 countries were included, as well.