October is Cybersecurity Awareness Month – here, Tom Huckle, Director of Information Security & Compliance EMEA, BlueVoyant considers the important role software updates and patches play in keeping your cyber defences intact – and why it matters to your supply chain partners too.
“High profile security breaches have peppered the news cycle over the last few years with the more recent MOVEit hack or the well-known Log4j vulnerability dominating the headlines. In the past few days, it was reported that hackers were trying to exploit vulnerabilities in VPN and other software. With breaches of this nature, updating software and doing this rapidly is key before known vulnerabilities are exploited again. By patching immediately, you remove the opportunity for cybercriminals to continue leveraging a path into your network.
However, it isn’t only enough to patch your own system. It’s also imperative organisations closely monitor how quickly their vendor’s and third-party suppliers patch. Not patching quickly is risky not least because cybercriminals now exploit vulnerabilities like this faster.
One case in point is the Atlassian vulnerability now classified as CVE-2022-26134. Once alerted, Atlassian released a fix the next day. About 30% of vulnerable organisations had patched within 10 days but the patch rate plateaued the following week, with 70% of Vulnerable Confluence instances remaining exposed. Further to this, 60% of related global systems monitored by BlueVoyant remained unpatched six weeks after the release.
To prevent instances like this, the focus needs to be on secure software development practices particularly when using open-source software libraries. Awareness of potential vulnerabilities in these libraries continues to improve, but more work is needed.
Take the focus to your interconnected supply chain and identify the third parties that may bring vulnerabilities into your ecosystem.”