Most firms don’t have ‘mature’ patch management: Survey

IT security professionals have said for years one of the biggest vulnerabilities in organizations are systems that don’t have the latest patches.

But according to a recent survey the message still hasn’t sunk in.

Only 42 per cent of IT officials said they had a fully mature patch management process in place, says a survey conducted for managed security vendor Trustwave. Another 46 per cent described their patch management system as “partially” mature. In fact 12 per cent don’t have a patch management process in place at all.

Not only that, 21 per cent of respondents said their organization doesn’t hold regular security awareness training for all staff — considered vital to avoid people falling for phishing scams.

Of those who do awareness training, 12 per cent do it monthly, 22 per cent do it quarterly, 10 per cent do it twice a year and 35 per cent do it once a year.

Only 20 per cent encrypt sensitive data.

The survey was done over 16 months and included 476 CIOs, CTOs, IT managers and network administrators from more than 50 countries, although most were based in the United States, United Kingdom and United Arab Emirates.

Full survey results will be released next week.

“Businesses must look at security as a business-as-usual imperative,” Michael Aminzade, vice-president of Trustwave’s global compliance and risk services, said in a statement.

“Understanding their risk level is the first step. By identifying  their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached.”

The results weren’t all bad: Only five per cent said senior managers in their organizations don’t take an active role in IT security matters, and only eight per cent said their middle managers aren’t active on security.

Still, 23 per cent of the IT people say they never hold security planning meetings, and of those who have incident response plans 21 per cent admitted they are never tested.

Trustwave recommends organizations ensure their security messages for staff are simple and clear, that there be a security plan and strategy, that staff work in teams and that the organizations review security processes and policies regularly.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now