Getting the basics right is a cornerstone of security best practise. Singapore’s experience in patch management is mirrored around the globe.
I’ve got very interested, again, in the somewhat unsexy topic of IT asset management recently (the last time I looked at this was for Y2k remediation) and have signed a reseller agreement with Axonius. An operational threat model is also essential if you want to be able to set priorities. If you want to be able to come up with a prioritised list of what needs patching, and track progress then give me a call (shameless plug over)…:
[…] Singapore businesses lost an average of 10 days coordinating with the relevant team prior to applying a patch and reported a 27% increase in downtime due to delays in patching vulnerabilities compared to last year. Some 72% planned to hire an average of five staff members over the next year who would be dedicated to patching.
However, their struggles with patch deployment were not necessarily the result of staffing issues. Some 67% of Singapore respondents pointed to an inability to have a common view of applications and assets across security and IT teams. Another 69% said they could not take critical applications and systems offline to patch them quickly, while 45% struggled to prioritise what needed to be patched.