Edited by Danny Bishop
Patch Management Overview
System security is a critical consideration for eCommerce platforms, and the timely application of software patches is essential to ensuring systems remain secure as threats evolve. This document addresses some of the risks, challenges, and potential solutions eCommerce merchants, and their solution providers, should consider in order to reduce the likelihood of a data breach.
As technology evolves, keeping systems current requires commitment. Neglected systems may be subject to a range of vulnerabilities that could lead to a serious compromise. While vulnerabilities vary in complexity and applicability, the end result of most system compromises comes down to two words no business ever wants to confront: data theft. Credit card account details, email addresses, and other Personal Identifying Information (PII) are of high-value and are therefore common targets in most data breaches. As a result, eCommerce platforms are prime targets for exploitation:
- 4.2 percent of all Magento Stores Globally are Leaking Payment and Customer Data
- Zombie money machines (malware that skims payment details)
From an eCommerce perspective, the technical nature of any given vulnerability is less important than understanding the risk the vulnerability presents. Some of the risks presented by system vulnerabilities include, but are by no means limited to:
- Brand damage and loss of consumer confidence
- Financial exposure, liability, and loss
- Compliance complications (PCI, GDPR, HIPPA, etc.)
In fact, a quick Google search reveals an abundance of data breaches that took place in the past decade wherein businesses suffered losses and fines reaching into the hundreds of millions of dollars. According to a report commissioned by IBM and conducted by the Ponemon Institute LLC, “[the] global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million.”
If the average cost of a data breach is not alarming enough, consider the following examples which illustrate just how overwhelming a data breach can be for larger entities:
- Yahoo : More than 1 billion user accounts. Total cost: $350 million
- Target : 41 million user accounts. Total cost: $202 million
- Equifax : 143 million user accounts. Total cost: $TBD (expected to be hundreds of millions)
The effort required to restore and maintain compliance with regulatory and industry standards (HIPPA, GDPR, PCI DSS, etc.) significantly contributes to the high financial cost of data breaches. Following a data breach, the minimum standards of compliance often increase drastically for the compromised entity due to a higher degree of perceived vulnerability by regulators and industry watchdogs. From this perspective, it is clear why regular, incremental patch management should be favored over post-compromise damage control.
While larger brands are likely capable of weathering the financial impact and negative publicity that come with a data breach, smaller brands are at risk of being eliminated by market and regulatory forces that are unwilling to accept losses caused by an apparent unwillingness to maintain secure systems.
Incredibly, almost 60 percent of organizations that suffered a data breach in the previous two years have acknowledged that a known, unpatched vulnerability was the root cause of their data breach. This sobering statistic might lead one to wonder why these organizations were delinquent with respect to patch management. There are numerous reasons (excuses) organizations offer to explain why they neglect regular patching. The most common include:
- They lack staff trained to complete the work successfully
- They lack the budget necessary to keep up with ongoing maintenance
- They do not fully understand the risks of not keeping up with patches
- They suffer operational paralysis due to the volume of applicable patches and an inability to manage them effectively.
Ultimately, the key element underlying a majority of the stated concerns is almost invariably cost. The value of an upfront maintenance expenditure is often difficult to justify, but history proves that the losses associated with unpatched systems far exceed the initial and minor financial benefit of patch deferment.
Solving Patch Management Challenges
The first step toward solving patch management challenges is simply recognizing the long term financial and risk-reduction payoffs. The next step is acting upon that realization by investing in the people, processes, and technologies necessary to develop and implement a patch management strategy that incorporates the following basic criteria:
- Patch regularly and often (reduce confusion, manage volume)
- Plan for the expected with budget, staffing
- Plan for the unexpected with budget, staffing
The final — and possibly the most important — step in addressing the challenges of patch management is the establishment of a program dedicated to monitoring industry trends and feeding that information back into the patch management process. This crucial step helps ensure the patch management process continues to be relevant and is equipped to deal with ever-evolving threats.
Hamman, H. (August 9, 2017). 6 Reasons Why Companies Don’t Patch.
Higgins, K. (April 5, 2018). Unpatched Vulnerabilities the Source of Most Data Breaches.
Poneman Institute, LLC. (July, 2018) 2018 Cost of a Data Breach Study: Global Overview.