Patching plays an incredibly important, yet often overlooked role in managing information technology networks. For financial institutions, not only is this true, it is more critical now than ever. Lack of, or inconsistent patching in a network can lead to significant risks such as; data breaches, data losses, viruses, malware, system downtime and regulatory issues. The end result is a loss of business continuity and capital. This is not a new concept but as the industry landscape evolves so do viruses, malware and attack tactics. Guidance to financial institutions about maintaining a comprehensive and effective patch management program appeared as early as May, 2003.
2011 saw some of the biggest data losses in history. According to datalossdb.org, four (4) of the ten (10) largest data breaches of all time occurred in 2011.2 These data breaches are typically a targeted attack by criminal groups. Constantly increasing security threats demonstrate the absolute importance of effective controls. One of the most effective controls for data breach risks is a solid patch management program. Keeping network resources patched with the latest bug and security fixes is paramount.
If a financial institution experiences a data breach, regulators typically require the institution’s clients to be notified. A 2010 Ponemon Institute study shows, the cost for a financial institution to repair a single compromised record was $268.3 The article Data Breaches: A Year in Review by the Privacy Rights Clearinghouse, cites that by early December 2011, “we’ve tracked 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to the alarming number of 543 million.”4 Not to mention, that these costs do not begin to address the reputational risk that a financial institution assumes when they experience a breach and must report that breach to their client base.
Data Loss and Data Breach are in similar categories. The difference is data loss can be experienced in several different ways. Statistics compiled over the past decade demonstrate the key sources of data loss are:
Hardware failure: 40%5
Software corruption: 13%5
One example of hardware failure, data loss is the failure of a hard drive inside of a desktop computer or server. Hard drive manufacturers claim failure rates of less than 1%. As noted by David M. Smith, PHD, Associate Professor of Economics at Pepperdine University, some studies show the real number may be as high as 13%.7
Consistently patching your PCs and servers will drastically reduce chances of both hardware and software failure by keeping your systems running at peak performance. Data loss drastically interrupts normal business operations, costing the financial institution not only in terms of money and productivity but also customer satisfaction.
Viruses, Malware & Downtime
Viruses and malware are a common source of downtime for computer users. According to Microsoft’s latest Security Intelligence Report, “roughly 11 to 12 million PCs in the U.S. are infected with some type of malware – every quarter.” 8 While anti-virus and anti-malware scans are great controls, recent viruses and malware continue to infiltrate inadequately updated machines. Entire communities exist on the Internet with the sole purpose of identifying, tracking, and exploiting vulnerabilities to common applications like Microsoft Windows, Microsoft Office, Internet Explorer, Adobe Flash, Adobe Acrobat Reader, and similar applications. Other common sources of attack are browsing Web sites and Web advertisements, users downloading questionable software, and file sharing programs. With so many avenues of attack, it becomes imperative to have a successful patch management program.
As the above threats continue to become more and more prevalent, financial institution regulators will be monitoring to ensure that institutions have properly assessed the above risks and put proper controls in place to mitigate these risks. To ensure compliance, financial institutions must ensure their patch management program is in place and it is sound.
A comprehensive, effective patch management program is a key factor to maintaining a financial institution’s data security and saving them time and money. Though it may seem small and inconvenient, patch management has far-reaching ramifications that affect everything in your financial institution from data breaches and viruses to downtime and regulations. In today’s technology landscape, financial institutions cannot afford to be caught off-guard when it comes to patch management.