Three months is a pathetic response time for pretty much every business issue, but it’s particularly pathetic when you’re talking about an issue that could cripple your employee’s ability to work at all.
And yet, as the Conficker/Downadup worm continues to wreak havoc across enterprise IT networks, security researchers are saying that many firms still haven’t deployed the patch Microsoft nearly 100 days ago. One company, Qualys Inc., scanned several hundred thousand customer PCs and said 30 per cent had not been patched. That isn’t the stat that most interests me, however.
Another security organization, Sophos, recently conducted a poll in which nearly a third of business workers blamed system admins or IT managers for the problem. Many more blamed the worm author, of course, but Microsoft got off relatively lightly, at 17 per cent.
So far, Conficker has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp, by exploiting a bug in the Windows Server service used Windows 2000, XP, Vista , Server 2003 and Server 2008. Basically all the major Microsoft products that most businesses would be using.
The fact that users blame IT staff suggests they are not only becoming more educated about how to use technology, but more savvy about how technology is protected and maintained. While may employees still flout security policies and do things that expose IT infrastructure to increased vulnerability, there are doubtless those who are beginning to act the way IT managers would want. These individuals will also have higher expectations about patch management and anti-virus solutions than their predecessors.
In most organizations, the monitoring of IT departments’ efforts to combat malware, if it happens at all is probably done by the IT departments themselves. Yet as the IT security industry begins to do a better job of educating senior executives about risk management in plain language, they will start asking more questions about patch cycles and what kind of escalation procedures IT managers have in place when a Conficker-style problem comes along.
Patch management is such a workload issue in some organizations that in the attempt to organize themselves and keep on top of everything else in the business, IT departments may have decided to treat all worms equally. That’s when a three-month cycle makes sense, but business realities may require greater agility than that. Particularly in a recession where every moment of productivity and availability counts, the tolerance for security-related slowdowns will reach an unprecedented low.
Maybe it’s too easy to say “patch faster,” as some vendors have. But if there’s a serious rebuttal to that command, IT departments need to declare it now. As bad as worms like Conficker are, no one wants a situation where the authors of such malware become more popular than the employees who should be combating them.
