Problem
I’m trying to sell the idea of organizational patch/update management and antivirus management to my superiors. Thus far, my proposition has been met with two responses:
- We haven’t had any issues yet (I would add that we know of)
- We just don’t think it’s that big of a risk.
Question
Are there any resources available that can help me sell this idea?
I’ve been told that 55-85% of all security related issues can be resolved by proper anti-virus and patch/update management but the individual that told me couldn’t substantiate the claim. Can it be substantiated?
Additional Information
1/5 of our computers (the ones on the building) have Windows update turned on by default and anti-virus installed. 4/5 of our computers are outside corporate and the users currently have full control over anti-virus and Windows updates (I know this is an issue, one step at a time).
Answer
I can tell you that Patch Management is high on the list of every IT Auditor and which does get checked quite often. Not patching your systems leaves them vulnerable for the prying eyes of attackers. Patching is required to be done, but it should also be tested before being pushed to production. The only mandatory patches you generally need to do are security patches. Regardless if the system is only LAN or WAN accessible (although WAN needs to be prioritized).
Now you can say “hey what’s the risk? We haven’t had any issues like that before!”. Well in some countries, if you have a breach which leaked personal information and it is shown that you did not take appropriate measures to secure your environment (patch management being one of them) your company can be held legally liable for the breach. In Europe from next year, the new data protection legislation will make it even so that your superiors who are in charge of making policies on how to store this personal information can be personally held liable for this.
Attribution
Source : Link , Question Author : James Hill , Answer Author : Lucas Kauffman
