Over the last 12 months, we have all read news stories about cybersecurity breaches that have occurred at very well-known organizations. The stories tend to focus on the number of people that are potentially impacted by the breach – a good piece of information to know. Many of the news stories then talk about a known security vulnerability that the cyber attacker was able to exploit, because the company’s servers were not current with their patching.
When you dig a little deeper, you will likely see that those high-profile organizations have specific policies and standards in place regarding security and patch management. In most cases, the breakdown occurs because the controls are not in place to ensure adherence to the policies. Some key questions that should be asked are:
- What controls (reporting) were in place to notify the Security Officer that the patching was not done?
- Was the Security Officer notified and no action was taken?
- Did the reporting exist, but the server that was exploited was not being tracked?
For many mid-market companies, the policies and standards are not in place, so their risk is even greater.