Observe any article discussing recommended strategies for cybersecurity, and roughly third or fourth item on that list, you’ll come across advice on promptly and consistently implementing patches and updates. Applying patches for identified vulnerabilities is considered a fundamental aspect of maintaining good cybersecurity standards, ranking alongside utilizing multi-factor authentication and exercising caution before clicking on links in emails from unknown sources.

It took me by surprise to hear at Qualys QSC24 in San Diego that several conference speakers argued against patching as an immediate response. They argued that there are situations where avoiding patching entirely might be a better decision.

Dilip Bachwani, Chief Technology Officer at Qualys, stated, “It’s not viable to address every single issue immediately.”

“It’s not feasible,” Bachwani elaborates. “Even if there is a vulnerability, it may not be applicable to your specific environment.” It could be an application that is not exposed to the internet or one that is protected through alternative security measures.

Understanding your risk level

The instinctive reaction upon the release of a new patch is to install it quickly to prevent a vulnerability from escalating into a cybersecurity incident. Nonetheless, Bachwani and his colleagues at Qualys emphasize that security teams need to pause and evaluate the risk threshold of their organization.

Initially, such an assessment reveals numerous vulnerabilities across their infrastructure. A research report by Coalition anticipates a 25% rise in the total number of common vulnerabilities and exposures (CVEs) in 2024, amounting to 34,888 vulnerabilities, or nearly 3,000 per month.

“New vulnerabilities are being disclosed and increasing rapidly,” notes Tiago Henriques, Head of Research at Coalition. “Many organizations are overwhelmed with alerts and uncertainty regarding which vulnerabilities to address first in order to minimize their overall exposure and risk.”

As the frequency of CVEs continues to climb, it may seem like every vulnerability is critical — and when all vulnerabilities are given equal risk weight, the task of patching becomes overwhelming. The researchers at Qualys suggest prioritizing vulnerabilities based on their associated risks to determine which should be patched first and which might not require patching at all.

Methods for prioritizing vulnerabilities within your organization

To prioritize vulnerabilities effectively, it is essential to have visibility over all assets within the organization and identify and monitor the attack surface. Yet, research conducted by Qualys reveals that merely 9% of companies actively monitor 100% of their attack surface. Shadow IT, risks related to third-party vendors, hastily executed digital transformations lacking proper technology and asset assessments, and failure to acknowledge emerging threat vectors are among the factors hindering organizations from adequately monitoring their attack surface.

Implementing an attack surface management initiative will help identify the technologies connected to your network and ascertain the areas requiring protection. Key features of an attack surface management program include:

  • Comprehensive visibility across hybrid IT environments
  • Dynamic cybersecurity requirements with swift identification capability
  • Real-time tracking of unauthorized software
  • Identifying and rectifying blind spots

By familiarizing yourself with the systems accessing your network, identifying your corporate assets, and assigning risk tolerance levels to these assets, prioritizing critical and non-critical vulnerabilities for patching or non-patching purposes becomes more streamlined.

Discover vulnerability management services

Deciding when to slow down patching procedures

Patching strategies should be tailored to each organization, based on their internal assessments of mission-critical applications and risk acceptance levels. While some organizations may deem it necessary to patch the most critical vulnerabilities immediately, others might determine a seven-day timeframe as optimal to mitigate risks associated with their key assets. Patch management programs usually categorize assets into tiers, commencing with the most critical and crucial systems that cannot afford downtime in case of issues, and then descending through secondary tiers with extended waiting periods.

However, there are instances where it is advisable to slow down or forego the patching process altogether. These scenarios include:

  • An essential, time-sensitive project is in progress and demands uninterrupted system usage
  • Reports of bugs in the patch or compatibility issues arising with the application during testing
  • The vulnerable software is restricted in usage within the organization and can be isolated
  • Alternative mitigating controls can be adopted
  • The application rarely utilizes the functions affected by the known vulnerability
  • The expenses of patching outweigh the benefits. For example, if the code is archaic and necessitates overhaul, investing time and resources in applying the patch may not be justified.

Cybersecurity insurance and patching scenarios

Given the spike in CVEs and the perpetual threat of cyber incidents, many organizations are contemplating ways to optimize their cybersecurity insurance coverage. Despite stringent regulations and audits required to qualify for cybersecurity insurance, adopting a targeted patching approach when truly necessary shouldn’t negatively impact your standing with insurance providers, according to Bachwani.

Modern insurance practices primarily revolve around assessing the organization’s overall cybersecurity posture rather than internal data specifics.

“By clearly demonstrating our meticulous internal practices, we should witness a reduction in our insurance premiums,” Bachwani asserts.

To patch or not to patch?

Ultimately, the decision on whether to patch or not hinges on a singular factor: the business value associated with patching or refraining from it. This determination is guided by the organization’s risk tolerance. Having an understanding of the repercussions of system downtime or a cybersecurity incident aids in prioritizing critical vulnerabilities that necessitate timely attention and resources for patching. Simultaneously, acknowledging that not all vulnerabilities can be patched allows the team to focus on mitigating bigger risks.