Making the best decision about risk sometimes means forgoing cybersecurity’s best practices.
That can be the unfortunate reality for companies with equipment that is under warranty. Security leaders sometimes have to make the tough choice of forgoing a patch because in some cases, it would void the manufacturer warranty on the product if applied, and leave them on the hook for any potential costs if the equipment were to break.
This dilemma highlights the complicated nature of security decision-making. Even in today’s world – where security threats cost businesses $45 billion in 2018 – making the right decision to manage a company’s risk can mean juggling competing priorities, like limiting the risk of a cyberattack with the financial risk of repairing costly equipment without a warranty.
Patching is one of cybersecurity’s most commonly accepted best practices. By patching systems, companies are closing up known vulnerabilities in their infrastructure, devices or applications, leaving one less vector of attack for bad actors. It is generally seen as one of the most basic things a company can do to better protect itself from attack.
Yet manufacturers argue that they are the ones in the best position to repair things, ensuring customers don’t introduce further security issues or break a device’s functionality by altering it, even with a well-intentioned security patch. This is a very valid concern, especially in products that may use customized software or operating systems. For that reason, many want their own technicians or authorized service providers to be the ones to patch the devices after they can ensure it will work on the specific product. While this may take a little longer, manufacturers believe it’s worth it for the overall and long-term function of the device.
But it also puts companies in a compromised position. While an unpatched device doesn’t immediately mean their organization will be breached, it certainly raises the possibility. In a time when cyberattacks are at an all-time high, that can be a real concern for many organizations, especially those in sensitive industries like healthcare, manufacturing, or government that may be targets for attack.
“The time between a vulnerability’s discovery and the availability of a patch is one of the highest risk periods in the vulnerability life cycle as attackers are generally faster at writing exploits for these software flaws than companies are at developing patches,” a report by the Belfer Center at the Harvard Kennedy School said, noting that warranties further delay this process as software vendors look to validate that a patch will not negatively affect the product.
There is more than one reason an organization may choose to ignore a security patch: It may break the function of specialized software on the device. It may also be a challenge of time management and resources, as well as knowing what devices need to be patched in the first place.
There’s ultimately only so much that companies can do to change the minds of the manufacturers they want to work with. If a company needs a device to operate or improve their business, they will purchase it. While they may choose to factor cybersecurity into their purchasing decisions, it is also only one factor of many that they need to consider. They also need to balance other aspects, like price or overall quality. Or there may only be one company that sells that particular software or device.
There are other options that organizations can consider if they cannot or choose not to patch but want to mitigate any security risks that might involve. Tools like network segmentation or real-time network monitoring can help spot any malware that may exploit an open vulnerability or limit its spread across the network.
In any case, it isn’t necessarily the wrong choice for a company to wait for the manufacturer to patch. But a company should be making that choice based on an informed risk calculation, not based on convenience or, even worse, not knowing a device needs to be patched at all.
Ellen Sundra is the VP of Systems Engineering at Forescout Technologies.