Companies are struggling to keep up with security management

Updating security systems manually can increase corporate risk

Two-thirds of firms are at risk of security breaches because of erroneous changes being made to their security system, according to new research.

Keeping firewalls and business software up to date is becoming an increasingly onerous task for the IT department, amid a cascade of patches, new vulnerabilities and changes to business processes.

As a result, many systems intended to secure the enterprise are being updated incorrectly or inadequately, said Shaul Efraim, vice president of business development at Tufin Technologies.

Research undertaken on behalf of Tufin showed that 30 per cent of firms take several hours to change a firewall rule, while half reported they lack formal processes to update firewalls.

According to the poll of international network managers, 66 per cent said their change management processes left their firms vulnerable to security breaches.

Part of the problem stems from having IT staff make manual changes to security systems, said Efraim.

"We were surprised to learn that half the sample is still doing basic tasks manually, such as tightening up permissive rules, looking for shadowed rules, or re-certifying rules," he said.

Firms were wasting the time of experienced IT administrators by having them make these changes manually, he added.

But Andrew Kellett, a senior analyst at research firm Ovum, said that manual intervention remained a critical part of delivering enterprise-class security.

Automated security tools make sense for securing end points, such as laptops and smartphones, where organisations may have thousands of devices that need regular updates, he said.

But other parts of the security infrastructure, such as network firewalls, may need to be tightly managed and manually adjusted to ensure they meet the firm's needs, he added.

"There are benefits to both manual and automatic approaches - it depends on which parts of the infrastructure you're looking at and what the business' priorities are," he added.

One step many firms continue to miss is evaluating where they are in patching cycles, added Kellett: checking which devices have been updated successfully and which haven't.