This blog post is in partnership with LMG Security. With professional hackers and cybersecurity criminals posing a constant threat to law firms big and small, the reality is that your firm’s sensitive data will always be a target. The good news? This risk can be averted by a few simple and cost-effective security strategies which you’ll learn in this CLE Cybersecurity Academy presented in partnership with LMG Security.
Hackers spent 2021 wreaking havoc by exploiting software vulnerabilities. From the recent Log4Shell exploit to a series of Microsoft Exchange vulnerabilities – which hackers have leveraged to deploy ransomware, steal emails, and more — to the Kaseya ransomware attacks that spread throughout the globe, the damage caused by software exploits has been immense. (Here are summaries and next step checklists for the Log4Shell and the Exchange vulnerabilities.)
Even the Equifax breach—one of the largest in US history that exposed personal data for 143 million people—resulted from an unpatched vulnerability. According to Equifax, criminals exploited an unpatched web application vulnerability for which a patch was released two months prior to the attack. This massive breach could have been avoided if Equifax had promptly patched its software.
How Safe is Your Organization?
All too often, patches are available and not deployed due to time, budget, personnel, or technical issues. According to a survey conducted by the Ponemon Institute, 42% of the respondents that had been breached stated that the cause was a known, unpatched vulnerability for which a patch was available but not applied.
To compound the problem, patch management risks aren’t limited to YOUR environment. Criminals can also leverage unpatched vulnerabilities in your vendors’ environments—and your data is at risk. For example, in December of 2020, Florida Healthy Kids Corporation was informed that due to an unpatched vulnerability in their web hosting provider’s environment, criminals had access to the protected health information for 3.5 million of their applicants. It’s clear that patch management is crucial for your business and that your leadership team should ensure that you have a well-thought-out plan to minimize your risks.
Avoiding 6 Common Software Patch Management Mistakes
The good (and bad) news is that many software-related hacks could easily have been prevented with proper patch management. Read on to hear about six common software patch management mistakes, and how you can successfully address them and protect your organization.
Mistake #1: Not Knowing What to Patch
Everybody knows to patch your operating systems—but what about those pesky third-party applications, or software deployed by your vendors? As you can see in the example above, one unpatched vulnerability in a vendor’s system can lead to a major breach. The 2020 Ponemon Institute survey also found that over a six-month period, the average organization had a backlog of 57,555 identified, unpatched vulnerabilities. If you calculate that average backlog by the number of vendors with access to your environment, the numbers get scary. How can you reduce these risks?
Mistake #2: Patching Too Slowly
Many organizations have monthly or bimonthly patching cycles. The problem is that when a critical vulnerability is announced, hackers may actively try to exploit your server within hours or days, not weeks. Other organizations are struggling with resource constraints that cause even longer backlogs for patching. This increases the risk that by the time you patch, you may have already been hacked.
Mistake #3: Ignoring Outdated Software
You may have software on your network that is so outdated that the vendor no longer releases patches—meaning these systems are highly vulnerable to attack. Many organizations throw up their hands and decide there’s nothing they can do. This situation is all too common, particularly in environments when you rely on specialized vendor software. Here are some strategies that can help:
Mistake #4: It’s Never a Good Time
Many organizations don’t apply patches regularly because it is difficult (or even impossible) to find a good time to apply patches and restart critical systems. Try these tips:
Mistake #5: Fear of “Breaking Something”
Even the most well-tested patch deployments can cause problems, particularly in complex environments. Fear of “breaking something” can cause system administrators to delay patching. You can reduce this challenge if you:
Mistake #6: Not Monitoring Patch Status
Patches don’t always install properly, leading to data breaches, ransomware attacks, and other consequences. Minimize your risk by taking these actions:
Patch management is a crucial part of your cybersecurity foundation, and it’s one that frequently gets less attention than it deserves due to time and resource issues. If you need help implementing effective patch management or verifying that critical patches have been correctly applied, LMG Security can help.
This content was originally published here.