Internet.com reports about the logic behind unpatched systems. A lot of it goes to the fact that system administrators are deluged with new patches and are fed up of high level alerts on inessential patches. However, when a system crashes, the blame falls squarely on the shoulders of the system administrator. In order to resolve this, two things need to happen:
First of all, there needs to be a better understanding overall of what danger security vulnerabilities represent. When it comes down to it, it is not just the system administrator responsibility to ensure that systems are secure. If software developers are careful in their implementations and consider security implications of the choices they are making when designing and developing software, the risk of an exploit is lowered.
Secondly, there is a need for better education in general. Most user neither know or care about vulnerabilities. By default, most machines are not even set to auto-update. There are a number of ways this can be solved. Operating System vendors like Apple, Microsoft, and Redhat already offer an automated way to apply patches to a machine. These tools should be turned on by default to ensure that “most” machines get patched properly. Following that, companies like Microsoft should be very careful when presenting the criticality of a patch and should review their processes to ensure that criticality is assessed properly.
These two steps will go a long way towards solving most of the problems. However, they will not go the whole distance. This is why I believe it is important for system administrators to establish a patch day, a single day every week when their sole focus is on ensuring that systems in their company are secure. Not only is it good practice to check your systems’ vulnerability often, but in these days of increased criminal activity in the online space, it is something that could save a lot of money in lost time due to viruses and hacks. Some people will probably say that to devote a full weekday (or 20 percent of one’s time) to security is ridiculous but if you account for the lost time and productivity, it may be more worthwhile to put the time into preventative care than in disaster recovery.