Patching computer systems is like healthy eating; everyone knows they should do it, most people know how to do it, but far too often it is done half-heartedly or not at all. A staggering 80% of all successful cyber-attacks could be avoided if the breached system was maintained at the latest patch state. Wannacry, perhaps the most infamous and widespread attack in recent years, was entirely avoidable as a patch for the vulnerability it exploited was released a month before global mayhem was unleashed in cyberspace.

So why do we inflict this misery on ourselves? Why don’t we just patch and head the majority of our security worries off at the pass? As a fully paid up member of the ‘head scratching’ security community I watch on with incredulity. But I am also a hypocrite with a short and selective memory. Only a few years ago I was on the other side of the fence, responsible for managing hundreds of systems in extremely challenging circumstances. Back then security patching was a perpetual headache that far too often became overwhelming. With the benefit of hindsight, patching was difficult for an array of reasons:

• Configuration Management.  Few will admit it, but configuration management is poor to non-existent in the majority of organisations. And if you don’t understand the state of your systems it is impossible to determine what patching is required. Once control is lost it is very difficult to regain.
• Cost.  Patching can be expensive. It gets even more expensive when products reach end of life and support stops. At that point the choice can be stark; engage in a major upgrade or consciously neglect patching newly discovered vulnerabilities. Making the business case to change on the basis of a risk that can be difficult to quantify is notoriously difficult when money is tight.
• Time.  I was once responsible for a fleet of systems that were held offline in a warehouse in readiness for emergency use. On a monthly basis we built each system and applied updates and patches. Or at least we tried to; in reality the process took far more hours than were available in a typical working week. The result was a fleet that became ever more out of date and ever more vulnerable. This is an extreme example, but dedicating time to patching systems can be difficult when there are so many different demands on our resources.
• Risk and Disruption. Most organisations have at least one legacy system that nobody really understands, but whose existence is critical to the business. Making any changes to such systems is regarded as poking a sleeping bear, so the idea that you would attempt to patch it, or any system it interoperates with, is regarded as self-harming at best.
• Impenetrable Security. The very worst reason I have ever heard for not patching came from a third-party managed service provider who argued that it wasn’t necessary because their cyber security solution was so robust. As an industry insider I am a huge advocate of comprehensive cyber security, but there is no solution that is impenetrable. This approach is akin to leaving your door unlocked because you have a fence that is almost (but not quite) unscalable.

So, despite the bewilderment of the cyber security community there are many good reasons why patching is difficult. However, there is no getting away from the fact that patching is the single most impactful measure that any organisation can take to improve their cyber security posture. Understanding your enterprise and its vulnerabilities in terms of business risk is an important first step that enables prioritisation of resource (the NCSC has some great advice on this). Once this has been achieved, a holistic cyber security solution can be designed. The answer, as ever, is a portfolio of measures that work together to drive down risk.