Patch Procrastination and Compliance: 81% of CIOs and CISOs Defer Critical Software Updates

Security researchers report that eight out of 10 CIOs and CISOs refrain from adopting an important security update or patch due to concerns about the impact it might have on business operations. Fifty-two percent of those surveyed said they didn’t take action on more than one occasion.

These and other findings of the Global Resilience Gap^[1] study, commissioned by security software firm Tanium, put compliance leaders on notice. The researchers polled 500 Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) in companies with more than 1,000 employees in the United States, United Kingdom, Germany, France and Japan.

Their goal was to explore the challenges and trade-offs that IT operations and security leaders face in protecting the business from a growing number of cyber threats and disruptions. What they found should put compliance leaders on high alert.

The Problem: “Lack of Visibility and Control”

Twenty-five percent of respondents worry their company would be unable to comply with current regulations as a result of their inaction. Are the other 56 percent procrastinators blissfully unaware of the potential consequences, or simply cocky?

Unawareness seems to be the more significant factor. According to the report, the leading cause behind such missed or delayed updates is a “[l]ack of visibility and control across networks.”

Especially in the era of BYOD, this opaqueness becomes a severe liability. Eighty percent of respondents said a critical update or patch they thought had been deployed had not actually updated on all devices. The oversight left their business exposed to security and compliance violations as a result.

Missed Updates and Patches? Think Browser.

Ask any IT or compliance leader to name the most unmanageable and least transparent application, and most will point to the primary tool used online: the locally installed common web browser.

Security experts agree: The vast majority of data breaches, security and compliance violations online can be traced back to the weak security, privacy and compliance posture of traditional browsers.^[2]

Such “free” browsers come with a hidden price tag. They are notoriously difficult to maintain, secure, update, patch and monitor. Decentralized browsers also require more updates, patches and patch management than any other application to maintain at least a basic resemblance of security – and IT has a hard time keeping up.

The result is that in most organizations, the browser has created a critical blind spot for compliance leaders and IT.^[3] Updates and patches that happen too late or never – for example,  due to a lack of qualified personnel^[4] – are increasing the risk of data breaches and compliance violations.

The point is not lost on browser makers themselves. A Microsoft cybersecurity expert recently warned against the “perils of using Internet Explorer as your default browser.”^[5] In case you wonder why, Internet Explorer, which is still widely in use in many businesses, is so outdated that Microsoft doesn’t even want to call it a “browser” anymore.^[6] And Google issued a warning in March about its browser that prompted the headline “Stop What You’re Doing and Update Google Chrome.”^[7]

What were the chances they were heard? Nineteen percent?

Is Your CISO an 81-percenter?

Regulated entities cannot afford to find out the hard way. When IT misses critical updates or patches, the consequences can be dire. The 2017 data breach at Equifax was traced back to a vulnerability for which a patch was available – it hadn’t been applied.^[8]

Now security-sensitive organizations in private and public sectors worldwide are discovering a convenient and cost-effective way to avoid the patch procrastination trap.

Their solution: remote browser isolation, which removes the browser as the critical blind spot for patch management and compliance and thus all associated risks from the corporate network. A centrally managed, monitored and updated browser in the cloud isolates all web code in a secure container off-site. Only a visual display – benign pixels – reaches the endpoint.

Frequently compared to the “air gap” IT security approach used on submarines and in nuclear power plants, this method completely insulates the local IT from web-borne threats, because no code from the web – nor any fallout from missing updates or security patches – can touch the local computer or mobile device.

Take NASA, for example. As recently as 2016, the federal space agency reported that 426,000 critical patches had not been applied to more than 53,000 systems. Fast forward to 2019; more than 100 federal agencies have either deployed or are in the process of procuring a secure cloud browser that doesn’t require them to install updates and patches anymore.

Understaffed? “Free” Browsers Are Taxing Your Team

Proper web isolation like in this example makes it impossible for malware or tracking code to touch the endpoint or the corporate network. For each web session, a new browser instance is built from scratch in the cloud and centrally configured to keep permissions and policies intact across departments, branch offices and subsidiaries.

This means that regardless of where users are located or which device they use to access the web – office PC, BYOD tablet or even the malware-ridden computer in a hotel business center – with the cloud browser, their online activities cannot put the organization at risk anymore.

The upkeep demands of traditional browsers increasingly drain IT and risk management resources. Cloud browser technology, on the other hand, allows compliance and information security specialists to focus on other critical tasks that demand their attention.

The cloud browser approach enables organizations to…

• reduce hard and soft costs; through centralized browser management and customer-defined embedded policies, the burden of managing, updating and securing the browser shifts from IT to the provider.
• centralize oversight and on-demand auditing; a properly designed browser in the cloud provides management hooks that require only one-time implementation.
• access the web anytime, anywhere without the loss of security or control, including from BYOD devices, which account for an ever-increasing share of (missed) updates and patches in many organizations^[8].

Browser Patching? Passé.

No more missed updates and patches for firms who protect their employees and digital assets with a compliance-ready cloud browser. This solution, which in the private sector is deployed by many leading banks, investment and law firms, enables organizations to handle identity and access management for authorized cloud-based apps centrally.

IT administrators can also apply policies to allow or block key browser functionality, such as copy/paste or upload/download. Plus, the cloud browser allows for a unified view into all user activity during a web session, for centralized audit and compliance review.

Time and labor saved for critical updates and patching is not the only net result of introducing web isolation. Enterprises that took this step are seeing a dramatic decrease in web-related security incidents and compliance violations. And they report significant cost savings.^[9]

Side Effect: 74% Cost Savings Over “Free” Browsers

As an example, mid-sized organizations (less than 5,000 employees) spend on average $1,255 per employee per year on IT security, most of it for mitigating risks and vulnerabilities introduced through the use of traditional browsers. Gartner estimates $1,178 per employee per year for Fortune 2000 firms.^[10]

By contrast, firms that deployed a cloud-based browser were able to bring these costs down to roughly $331 per employee per year. This translates to savings of 74 percent.

---

[1] Tanium: Global Resilience Gap – https://tanium.com/ (Research Report 4/2019)

[2] Osterman Research: Why You Should Seriously Consider Web Isolation Technology – https://www.ostermanresearch.com/home/white-papers/ (White paper 12/2018)

[3] John Klassen: A Persistent Threat in Financial Services – https://www.corporatecomplianceinsights.com/a-persistent-threat-in-financial-services/ (Corporate Compliance Insights 1/2019)

[4] Larry Loeb: 10 IT Weak Spots Hit Hardest by the Cybersecurity Talent Shortage – https://authentic8.blog/10-it-weak-spots-hit-hardest-by-the-cybersecurity-talent-shortage/ (Authentic8 Blog 2/12/2018)

[5] Chris Jackson: The Perils of Using Internet Explorer as Your Defaut Browser – https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/The-perils-of-using-Internet-Explorer-as-your-default-browser/ba-p/331732 (Windows IT Pro Blog 2/6/2019)

[6] Tom Warren: Microsoft really doesn’t want you to use Internet Explorer anymore – https://www.theverge.com/2019/2/8/18216767/microsoft-internet-explorer-warning-compatibility-solution (The Verge 2/8/2019)

[7] https://www.pcmag.com/news/367015/stop-what-youre-doing-and-update-google-chrome

[8] Larry Loeb: 10 IT Weak Spots Hit Hardest by the Cybersecurity Talent Shortage – https://authentic8.blog/10-it-weak-spots-hit-hardest-by-the-cybersecurity-talent-shortage/ (Authentic8 Blog 2/12/2018)

[9] Scott Matteson: Relaxed policies and outdated devices are the biggest BYOD threats – https://www.techrepublic.com/article/relaxed-policies-and-outdated-devices-are-the-biggest-byod-threats/ (Tech Republic 3/1/2017)

[10] Eric Stegman, Shreya Futela, Disha Badlani: IT Key Metrics Data 2019: Key IT Security Measures: by Industry – https://www.gartner.com/en/documents/3893777 (Gartner Research Report 12/17/2018)