The Importance of Patching


[Announcement]

Government joins forces with leading software companies to stress the importance of patching

Leaving software unpatched amounts to gambling your business away, warn three new videos released by the Technology Forum, a cybersecurity partnership between government agencies and some of the world’s leading technology companies.

The videos represent a joint push from government and industry to raise awareness of the dangers businesses run when they put off installing patches for existing software.

With members including IBM, Microsoft and Dell Secureworks, the Technology Forum collaborated with senior government organisations to commission the videos from the Trustworthy Software Initiative (TSI), a government-backed organisation with a mandate to improve the quality of software manufactured and used in the UK.

The three videos respectively show:

Gamble: Gamblers suffering financial losses in a casino environment, with the aim of informing business owners that leaving software unpatched amounts to gambling away their business;

Garage: Engineers giving racing cars a pre-race examination, driving home the message that seemingly time-consuming preparation is essential for secure performance.

Racing: A poorly-maintained racing car failing to complete the course, stressing the importance of trustworthy software to the successful operation of any modern business.

Disregard for patching represents a significant and growing problem for businesses of all sizes. According to the latest figures, untrustworthy software is responsible for over 90% of data breaches worldwide, with 99.9% of these vulnerabilities being exploited more than a year after details were made public.

Such attacks are easily preventable. In order to stay safe, businesses need to ensure software is managed throughout its lifecycle, and that updates and patches are regularly monitored and installed. In fact, patching has already been enshrined as one of the key tenets of Cyber Essentials, the government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats.

Trustworthy Software Essentials, a parallel scheme run by the TSI aimed specifically at encouraging better software management and use, also stresses the vital role patching plays in keeping a business safe. Businesses wishing to take a more comprehensive approach are advised to consult the TSI’s landmark guidance document PAS 754:2014 Software trustworthiness, the first Publically Available Specification to document the overall principles for effective software trustworthiness.

“Our hope is that these videos will encourage businesses to invest time and resources into the development and maintenance of trustworthy software,” said Tony Dyhouse, Director of the TSI. “Considering the substantial risks untrustworthy software can pose to individual businesses and the UK economy as a whole, it is important that government and industry speak with one voice to raise awareness of this important issue.”

Stuart Aston, National Security Officer, Microsoft UK, says: “If you knew that burglars had the keys to your front door, you’d change the locks. But if you aren’t keeping your software up to date, you are giving the criminals the keys to your data. Patching should be business as usual for organisations of all sizes and consumers.”

Don Smith, Technology Director, Dell SecureWorks, says: “Attackers love vulnerabilities, they know it takes time for enterprises to patch which opens an attack window for exploitation. The immediate days following the announcement of a patch report are critical as attackers will focus their exploitation attempts on identified vulnerabilities.”

“To remain effective and reduce risks in what is a regular activity, organisations should be putting metrics around patching and understand if “time-to-patch” is trending in the right direction”.

Published: 2 July 2015

Updated: 4 April 2016 (replicated from Trustworthy Software Initiative website to successor Trustworthy Software Foundation website)