Over half of firms at risk says McAfee

More than half of UK firms believe they are at risk from vulnerabilities in their software and networks, according to new research released today by intrusion prevention specialist McAfee.

The study of over 600 senior IT staff across Europe, carried out by Ipsos Research, found that businesses have a confused approach to patch management. Nearly 60 percent of respondents said they had no idea how much patch deployment is costing their business, while 42 percent don't prioritise the areas of the business to be patched first.

"Firms know there's a problem there but they haven't found a logical and organised way of dealing with it," said McAfee security analyst Greg Day. "IT managers need to have a way of [firstly] deciding if there is a real [threat to their systems] or if it is just theoretical."

He also recommended that firms have a "security umbrella" comprising good intrusion protection systems, to give IT administrators time to evaluate the problem and then utilise patch management solutions in a "comfortable, controlled way".

Graham Titterington of analyst firm Ovum argued that most of the respondents' answers were "unrealistically optimistic".

"The majority of firms have no idea how much they spend on patches or how many deployments they make [in a six month period]," he said. "It's also difficult to prioritise [areas of the business] because patching is [done] at the infrastructure rather than the application layer."

He recommended firms invest in "virtual patches" in order to buy themselves more time while testing patches pre-deployment. These can be deployed quicker and without testing, and block traffic which has been crafted to exploit particular vulnerabilities.

The research also found that nearly a quarter of firms take a week or more from the time a patch is issued to the IT infrastructure being fully protected from that vulnerability.

Florian Gudermann of patch management vendor Enteo said that with the correct testing lab it should only take around a day to roll-out new patches, although for large multi-nationals with multiple operating systems running applications in various languages, this may take longer.

"My advice would be to test and pilot patches," he said. "Run the tested patches on about 10 percent of [the firm's] machines and if there are no problems, get them out as quickly as possible."