April 15, 2019

4 in 5 IT chiefs are delaying security patches to avoid business disruption

By Lucy Ingham

A concerning 81% of chief information security officers (CISOs) and chief information officers (CIOs) are routinely delaying security patches in order to avoid disruption to day-to-day business operations, according to research published today.

The Global Resilience Gap study by Tanium looked at organisations in the UK, Japan and the US, and sounds serious alarm bells about cybersecurity practices among businesses.

It also found that 94% of CIOs and CISOs were making other compromises related to protecting their IT systems from cyberattacks and other security issues, indicating that despite growing awareness around cybersecurity businesses are still not adequately prioritising the issue.

Security patches vs productivity

Delays in installing security patches are particularly concerning as these often include vital updates to protect against active cybersecurity threats – meaning that businesses are leaving themselves exposed by failing to apply them immediately.

This also has potential implications for GDPR, as in some cases failing to apply security patches puts businesses at increased risk of a data breach.

“We have long been told that businesses and individuals alike need to be planning ahead of hacks and the ensuing data breaches, but with hackers becoming more creative it seems our cybersecurity needs to be improved across all industries,” said Paolo Sartori, managing director of TransWorldCom.

“Businesses simply cannot risk cutting corners when it comes to data and cybersecurity protection. CIOs and CISOs may think that halting business in order to ensure that a company’s security is up to date and robust will result in a loss of productivity. However, it will be minimal compared to the potential loss of productivity following a data breach or cyberattack.”

Such decisions also highlight the ongoing need for cybersecurity education – even at senior levels.

“While companies normally have excellent and secure cyber security, it is only as strong as the security measures of individual employees, as malicious emails can penetrate even the most robust protection measures. In terms of ensuring that data is safe and secure for the future, there needs to be a concerted effort to educate individuals against the full scope of data threat,” added Sartori.

“Personal and professional cybersecurity go hand-in-hand, a chain is only is strong as its weakest link, and information officers putting off security patches for example leave us all exposed.”

Read more: Lack of board-level cybersecurity awareness “alarming”


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,