Failing to test patches for incompatibilities is risky, Viscuso says. For instance, if a financial services firm breaks a crucial high-speed trading application while conducting an upgrade it will have to shut down the application and fix the code, costing the company potentially tens of millions of dollars of downtime.
Damned if you do …
But failing to keep up with patching also courts risks.
When a vendor launches a patch outside of its normal patch cycle, as Microsoft did when it released MS17-010 on March 14, it disrupts the cadence that companies have built into their IT and business processes. Viscuso says many companies wait until the next patching cycle to roll out something. That's why so many companies were impacted by WannaCry; they simply didn't patch when Microsoft made its upgrade available.
Steve Grobman, CTO of McAfee.
Patching the vulnerability that cracked open the door to WannaCry was no-brainer despite the challenges it presented because it was capable of being exploited remotely, says Steve Grobman, CTO of security software maker McAfee. Simply making a network connection with a machine introduced the threat.
But because this patch dealt with the Server Message block -- the part of the OS that enables file-sharing -- the likelihood of breaking applications during patching was also high. The risk was particularly steep for organizations with large numbers of legacy applications, some of which were two or more decades old, whose developers may no longer be alive, Grobman says. For that reason, many companies simply elected not to patch.
"They’ve been leaving the pot on the stove while they go to work for many years and there hasn't been an issue," Grobman says. "When you exhibit risky behavior just because something bad doesn't happen shouldn't imply something risky isn't couldn't happen."
Grobman expects CIOs will recalibrate their IT processes to take a much more aggressive approach to patching. This is important at a time when the Shadow Brokers hacker collective that claims to have stolen EternalBlue and other exploits from the NSA, says that more exploits are on the way.
But with roughly 5,000 new vulnerabilities emerging every year, it will be impossible for CIOs to patch every hole, says Carbon Black's Viscuso. He says that CIOs must rank the ones that pose the greatest threat to their businesses, test them and schedule upgrades.
The takeaway for CIOs: Keep your work computers updated with patches on a regular basis and apply emergency patches as needed. Ensure PCs are running a current operating system and manage your anti-virus software to maintain updated virus definitions. Back up PCs and servers nightly so if ransomware does get into your network, you can restore resources quickly.
Sign up for CIO Asia eNewsletters.