Patching alone won’t stop cyber crime

Daniel Benad, group vice president and regional general manager, ANZ and Oceania, Rimini Street

Strong security policies have been critical for organisations in all industries since the early days of technology. However, many organisations are still under the impression periodic patches applied by their various vendors for their enterprise resources planning (ERP) and enterprise software platforms, and even mobile phones and laptops, is sufficient to stay cyber safe – and anything standing in the way of a patch or upgrade being installed will leave them exposed to criminals eager to hack in.

This sentiment neglects the realities of the modern cyber security landscape, and largely ignores the fact most enterprise software companies are not security companies. Much like an update to your most used smartphone app or even a video game, vendor-supplied ERP patches are typically just bug fixes to their own software and should never be confused with proactive cyber defence.

It also ignores the sheer effort involved in installing enterprise software patches, including the extended time it takes to test them within the company’s environment before it can be implemented. This can sometimes take up to six months; by this time, a new bug will likely have been identified and a new patch or upgrade needs to be tested.

Unfortunately, many organisations and their IT teams are told that there is no alternative to the merry-go-round of endless and often disruptive patches and fixes. In reality, however, these reactive solutions alone don’t provide the comprehensive and proactive security most businesses need – and they are paying exorbitant vendor maintenance fees to boot.

A hamster wheel of bug fixing

Software companies review bugs and vulnerabilities to determine the potential threat of an issue, and how critical it is to fix a particular issue. That involves identifying how widely the affected library or code base was used, what platforms were affected, and its history.

That’s a laborious and lengthy process, and it’s not uncommon for vendors to learn a bug has existed for a significant period.

Furthermore, finding a problem doesn’t necessary mean it’s possible to push out a patch immediately. It may have been there for years, sure, but it could be another year or more before a patch to fix the bug is installed. Equally problematic is that vendor-supplied patches and upgrades come in a one-size-fits-all solution, with little to no scope for customisations or the unique IT environments they’ll be thrown into.

That means IT managers are left waiting for patches to be released, only to find themselves needing to undergo rigorous regression testing, running Quality Assurance (QA), performing end-user testing, and repairing the customisations the patches break – all this, multiplied by every single database or application instance in the company. This process is time consuming, risky, disruptive, and expensive.

Like a hamster in a wheel, customers repeat this cycle hundreds of times over for each new patch that follows.

The fact is vendor patches are complex and, even when applied effectively, tend to be limited in scope as they generally tackle only the issue that was discovered in the wild and do not address the weakness holistically. In short, vendor patches are not enough to maintain a proactive security posture.

Beyond the Band-Aids

Organisations simply can’t afford to buy into the notion of patching as an all-inclusive security posture. Rather, it should be viewed as merely a tactic to keep them paying for maintenance every year.

Security is best left to security experts. Whatever the industry, companies should look to cybersecurity platforms, firewalls, and defence agencies to mitigate risks.

Today’s organisations require modern and cost-effective security tactics, such as in-memory database protections and real-time self-protection for middleware and applications. These are far more effective methods for addressing security issues within the enterprise software stack, while also enabling huge reductions in downtime and business disruption.

Regular penetration testing is also critical to the maintenance of a secure perimeter. Rather than waiting for a software vendor to highlight a long-undiscovered (or previously discovered but not actioned upon) vulnerability, penetration testing can regularly test the defence for holes not just within the ERP, but the entire environment.

It’s also important to note that those same bugs and vulnerabilities may be addressed by third party support and maintenance providers, which aim to fix the issue at the source, immediately, rather than wait for a patch to be downloaded and tested. Doing so can relinquish the strain on the internal IT team to test and configure patches, which take significant time and resources to manage.

Ultimately, it comes down to the fact that vendors of ERP and enterprise software platforms are not security companies. Although they provide exceptional software, patches alone should not be considered a cyber-defence.