The Number 1 reason is: “We do not do an adequate job of patching and paying attention to security!”
Again and again we can find reports and stories of entities not doing basic tasks:
Above image is from Protiviti report
Why are the basics not being done?
Because a concerted effort to manage IT tasks month after month is not easy, and in fact it is a difficult challenge. What is difficult about regular every day life in patching hundreds of systems on a monthly basis at minimum?
Well, let’s list a few problems that arise:
- Personnel challenges – sickness, vacation, doctor visits, kids, parents, brothers, sisters, and spouse conflicts.
- So many things can go wrong with the actual device itself even when used correctly… Or if this is a laptop, then it has to be plugged into the network with VPN or directly on the network for it to download and get updated.
- Above 2 are the normal challenges, how about abnormal challenges? What about somebody installing a new software that conflicts with the patch? Now the patch does not install correctly and the system is vulnerable to attack.
So knowing some of these items means management has to schedule and account for potential problems which means it costs more resources sometimes than anticipated. This may be a problem, and then management pushes back onto IT to say no more OT this month!
In basic terms – stuff happens and then patches are not applied. If this management process is more broken than fixed there will be plenty of chances for hackers to attack.
It depends on the maturity of management thoughts and actions. Is management more willing to make sure the patches are applied or are they willing to let patches slide for a little while?
The answer is to create processes to fulfill compliance mandates and do not deviate from this method.
I.e. quarterly meetings at minimum with required review and testing of all systems that are important and potential other systems.
Contact Us to discuss this with you
Punch line? Hackers are successful due to the failure of management actions and thoughts in regards to cybersecurity.