If it ain't broke, don't fix it...
Is the most common response I get, whenever I ask IT administrators and executives why they don't patch their systems. The funny thing is that the response is always said with such veneration as if they know something the rest of the world doesn't. Well, I hate to break it to those of you out there who feel this way, but you're doing it wrong. Don't just take my word for it. Let's look at the numbers from the 2015 Verizon Data Breach Report.
- 99.9 % of exploited vulnerabilities were at least one-year-old.
- 70% of attacks where the primary target was known resulted in a secondary target being hacked.
- 23% of recipients open phishing emails, with half of those being within the first hour.
- In 60% of cases, attackers are able to compromise an organization within minutes
If it's insecure do you not patch it?
What the data is telling us is that old habits die hard. Despite cyber threats being well known and documented, companies are still choosing to accept risk over mitigation. And those of you who think "this won't happen to me," well, wrong again. You don't have to be the primary target of a cyber attack to be a victim. In fact, the majority of cyber attacks result in a non-primary target being compromised; 70% of attacks impact non-primary targets, which means that cyber criminals are casting a wide net, and it's easy to get tangled up in it.
Gone Phishing
The data also tells us that phishing is still very effective when it comes to compromising a system. Over 1/5th of your employees will open a malicious email and when they do your system will be compromised in under one hour. How many employees do you have again?
If you're still not convinced, if you still think that you have everything you need, check out the below links and see what a hacker can do with your email address and learn how cyber liability policies really work.
CONCLUSION:
By not patching their systems, companies are accepting far too much risk for something as simple as patching. By not adjusting to the times, companies are opening themselves up to an inevitable hack. For the most part, hackers are using the same old methods to compromise a system, because they still work. The easiest way for a company to reduce its risk is to routinely patch their system and educate their employees on phishing and spear phishing techniques.
As much as we'd all love to wear capes to the office, it's just not feasible to transform everyone in your company into an IT superhero. Nor can you have your employees calling someone every time they get an email to confirm with the sender that it did come from them. But you also can't afford not to change with the times. That is what advanced signature-less threat detection is all about. Systems like Carbon Black and services offered by WatchPoint bridge the gap between advanced software and the resources needed to mitigate today's fast moving threats.
Take two minutes to learn about WatchPoint's Comprehensive Cyber Security – you’ll be glad you did.
