Half of European businesses are vulnerable to IT attacks

Dedicated security technology company, McAfee, has announced research which reveals the extent to which companies are failing to protect themselves from security vulnerabilities. Almost half of those questioned (45%) believe that their IT infrastructure is never 100% protected from software and network vulnerabilities.

The McAfee study, conducted by Ipsos Research, surveyed over 600 senior IT decision makers at companies with 250+ employees across Europe. The aim was to better understand the approach taken by businesses towards patch management, one of the greatest IT security challenges facing large businesses.

* Over a quarter (27%) of those questioned say it takes 48 hours or more from the time a patch is issued to the IT infrastructure being fully protected from that vulnerability. One in five (19%) say it takes up to a week or more
* Over a third (36%) of European businesses have no idea how many patches they applied to their business in a 6 month period
* 58% of IT professionals questioned have no idea how much the deployment of patches is costing their business
* One in five (20%) IT professionals spend an hour or more a day researching vulnerabilities and patches
* 45% of those questioned do not prioritise which areas of the business are patches first

Given the context of faster and more sophisticated IT threats and ever larger and more complex IT systems, patch management is a serious concern for many large businesses. In the time that it takes for a patch to be issued and deployed throughout an organisation, that business is vulnerable to security breaches, mass outages, loss of productivity and ultimately the loss of customer confidence.

A time intensive process

The deployment of patches is a complicated process, especially for large businesses - it can take days of researching, testing and deploying for every patch. McAfee`s research reveals the scale of the resources dedicated to patch management with 20% of those questioned spending an hour a day or more researching patches and vulnerabilities. In Italy, almost a third (31%) spend this long researching patches while in Germany this figure stands at 24%. Across Europe, one in ten IT professionals spend 240 hours a year researching vulnerabilities which equates to five working weeks.

The ever expanding window of vulnerability

The time taken to deploy patches fully is leaving businesses open to attack. Across Europe, over a quarter admitted that the window from patch being issued to full deployment was 48 hours or more. For one in ten European businesses (19%), it takes up to a week or more to deploy patches. The window of vulnerability lasts longest in France with over a quarter (27%) of those questioned taking a week or longer to protect their business from a vulnerability.

Counting the cost of patch management

Surprisingly, the survey revealed that many IT professionals are in the dark when it comes to just how many patches they deploy and how much this costs their business. The number of patches issued is so great that over a third (36%) of those questioned across Europe had no idea how many were issued over a six month period and 58% do not know how much the process costs their business. This is despite IDC predicting that the European market for patch management will reach $88m by 20101.

Trek to the summit

00Days

:

00Hrs

:

00Min

:

00Sec

What is clear, however, is that most businesses think they will need to dedicate more resources to patch management in the future. Over half (54%) said they would invest more resources in this area in the future with German companies leading the way with 68% planning to increase resources.

Prioritising protection

Given the context of increasingly sophisticated IT threats and limited IT resources, businesses need to implement a patch management strategy which reflects this reality. At the heart of this approach must be the identification of business critical assets and the prioritisation of resources to protect these assets first. McAfee`s research reveals that European businesses are increasingly adopting this strategy with 45% of those questioned prioritising areas of the business where patches are first deployed. But the research also shows that a significant proportion of businesses are not focusing their resources on protecting critical assets from vulnerabilities.

Businesses should look to combine a prioritised patch management process with proactive blocking solutions which will protect a network against both known and unknown threats, thereby giving organisations valuable extra time to research and deploy patches.

Compliance

Patch management is also critical for businesses as it can impact on their compliance with a range of government regulations including Sarbannes Oxley, HIPPA and MiFID. A failure to protect systems with the latest patches may have serious implications for a business with regards to these regulations. Across Europe, the research reveals that most organisations have put the necessary steps in place with 82% of those questioned having confidence in the compliance of their patch management policy.

"The feedback from large businesses is clear - patch management is a serious concern for them," says Chris van Niekerk, regional director of McAfee South Africa. "Organisations are vulnerable to IT attacks because security patches are issued too frequently for businesses to safely test and deploy throughout the organisation in a timely fashion. The only solution to mitigate the risk from this and give executives piece of mind when it comes to the security of their business is to combine a prioritised patch management process with proactive intrusion prevention solutions."

The research was conducted by Ipsos Research who questioned 600 IT professionals across the UK, France, Germany, Italy, Spain and the Netherlands in November 2005.