Written by Robert Westervelt, the News Director at SearchSecurity.com, the article cites a new survey that found many organizations are struggling to deal with patch and configuration management issues and are often lacking efficient processes to deploy patches to stytems and applications in a timely manner.
"According to eEye's "2011 Vulnerability and Management Trends Report," 85% of those surveyed indicated that their IT staff is overburdened with regulatory compliance issues. About half of those surveyed said regulatory compliance initiatives take up to 50% of their work weeks," (Westervelt) and this is at the expense of actual vulnerability management.
Larry Whiteside, CISO at the Visiting Nurse Services of New York said, "I don't know any company in the world that doesn't have patching issues," Whiteside said. "The time to prioritize and test can make staying on top of the patching cycle very difficult."
In addition, the rising use of smartphones and other mobile devices is straining the ability of IT teams to ensure systems are up to date. The survey found that 31% of professionals indicated they don't have enough personnel to handle increased patching demands. In addition, keeping track of browser component vulnerabilities, Flash updates, and other third-party client software updates is an issue at many enterprises.
"There's definitely a lack of visibility, especially as it relates to non-Microsoft software," Maiffret said.
What's so special about Microsoft?
If you can recall from our case study, Microsoft's process for handling threats involves bulletins and notification. This article makes a point of mentioning them as a company that does a good job of "identifying and addressing vulnerabilities in other applications wrapped in one product." Microsoft's huge market share lets it do this, in my opinion. Therefore it seems that the majority of companies without the huge presence that Microsoft has are hampered by the issues brought up in this article, such as iPremier, Flayton's and TJX.
Posts
I thought that this article was really interesting. In class we have discussed many things that companies that have been victims of a security breach "should do" or "should have done," but this article is a good reminder that all of these suggestions are very much easier said than done. This post made me realize that many companies simply do not have the staff and resources to comply with all of the regulations. It seems to me that companies need to rethink their priorities and realize that they are going to need to invest a significant amount of time and money into IT if they are going to be successful in today's information age.
ReplyDeleteIt is a good point to state that money plays a great deal in determining how frequently a company is able to patch its products. Companies have to pay for professionals to work for them and make fixes to their software. While this doesn't seem like much to a company on the level of Microsoft, it can be harder for small business firms who don't necessarily have the funds. This, I think, can be made much more difficult when larger firms hire a larger majority of professional staff which can leave smaller firms with less personnel to work with.
ReplyDeleteTesting software and hardware for compatibility and function also costs a great deal of money. A combination of lack of personnel, security breaches, and constant testing can be more demanding on smaller firms. So I believe that the statement is correct as money plays a much larger role in security than it is given credit for.