Remote Work Increases Risk of Data Breaches Due to Unpatched Vulnerabilities

Globally, the COVID-19 pandemic has had a number of impacts on daily life. For businesses, the primary impact to date is the inability to conduct “business as usual” with employees on-site. A primary goal of healthcare organizations, such as the Centers for Disease Control (CDC) and the World Health Organization (WHO), is to “flatten the curve” of COVID-19. By spreading the number of cases that require hospitalization over a greater period of time, these organizations hope to decrease the load on healthcare providers (and the resulting fatality rate).

A key component of “flattening the curve” is slowing the spread of the disease through social distancing and limiting non-essential travel and gatherings. As a result, the majority of businesses, with the exception of those deemed “essential”, have been forced to shut down or move to telework.

For many organizations, a strategy for securely shifting most or all of their workforce to telework may not have been part of their existing business continuity and disaster recovery plan. This switch has created a number of different security challenges for an organization. However, many organizations may not consider the impact on telework on their vulnerability management processes and the resulting increase in exposure to data breaches.

Telework Impacts Company Patch Cycles

Vulnerability management is a challenge for most organizations under the best of circumstances. Each year, about 22,000 new vulnerabilities are discovered and publicly disclosed. For each of these vulnerabilities, an organization’s security team must determine if their systems are affected, acquire and test a patch (if one is available), deploy the patch to all affected systems, and test to ensure that the patch was applied correctly.

When everything goes smoothly, applying a single patch can take several hours of work by a member of the security team. However, a number of different factors exist that can impact the speed at which this process is completed for a given patch or whether it is completed at all.

Under normal circumstances, whether a system is on-site or remote affects how promptly it is patched. Within the first three days, 48% of on-site desktops and laptops receive patches, compared to 42% of remote ones. Under normal circumstances, this six percent difference is a small percentage of an organization’s infrastructure (though still significant). However, with the telework requirements imposed by COVID-19, having well over half of off-site machines not receiving patches within the first three days increases an organization’s exposure to attack. This also does not take into account the likely delays in patch management caused by other distractions related to COVID-19.

Unpatched Vulnerabilities Lead to Data Breaches

With the number of vulnerabilities reported each day, it may seem difficult or impossible for an organization to keep abreast of all of them. However, the costs of failing to apply patches, or even patching a vulnerability “too late” can be significant.

While phishing attacks are commonly cited as the root cause of most cybersecurity incidents, one study has found that most data breaches involve missing patches. In fact, nearly 60% of data breaches within the last two years can be traced back to a missing operating system or application patch.

With the average cost of a data breach in the millions of dollars, not to mention the less quantifiable costs of lost customers and sales, this represents a significant threat to an organization’s bottom line. Data breaches can and do put companies out of business, and the majority of them can be linked to a failure to apply a patch for a vulnerability in time.

Despite this risk, patching even a single vulnerability can be extremely expensive for an organization. For large defense contractors, a single patch can cost a quarter of a million dollars to apply across the organization. This price tag can often make patch management unscalable and forces organizations to prioritize patching based upon risk analysis.

Building Security into Business Continuity Plans

Many organizations were caught off-guard by the need to transition to telework in the face of the COVID-19 pandemic. This rapid transition created a number of challenges for organizations’ network and security teams as network infrastructure and company policies and procedures required updates to support a mostly or wholly remote workforce.

While many of these issues have been apparent, such as challenges in handling a massive influx in virtual private network (VPN) connections, others may be subtler. In general, organizations have struggled with vulnerability and patch management in the best of circumstances, let alone for remote devices and during a global crisis.

The COVID-19 pandemic has served as a learning experience for many organizations. The business continuity and disaster recovery plans that they had already put into place often did not cover the possibility that an organization’s entire workforce would switch to remote work within a matter of weeks.

As a result, organizations have had to adapt and work to quickly update policies and procedures to reflect their new operating environments. When doing so, it is vital to look beyond the obvious effects and security impacts of the shift to remote work driven by COVID-19. Impacts such as the decreased efficiency of patch management policies for remote devices may not be obvious but can be costly to an organization if overlooked.