Home Affairs Minister Clare O’Neil has expressed her disappointment with businesses that fail to patch software, saying there are still cases where companies get hacked through known security vulnerabilities months – sometimes years – after fixes have been made public.

“Businesses say sometimes that they feel powerless in the face of a deteriorating cyber environment,” O’Neil said.

“The vast majority of cyber attacks are completely preventable, if you take pretty straightforward steps. Regular patching is one of them.”

In December last year, the Australian Cyber Security Centre (ACSC) published guidance about vulnerabilities in Citrix Gateway and ADC, warning that the security flaws could allow for remote code execution on compromised machines.

“We’re continuing to see cyber incidents due to the Citrix vulnerability where patches have existed for almost a year,” O’Neil said.

“We’ve made great progress on cyber but we’re still seeing plenty of examples where basic hygiene isn’t being looked after.”

More recently, authorities have warned of security vulnerabilities in Ivanti Sentry, Fortinet Fortigate, along with more critical Citrix bugs, that are all being actively exploited.

Once a vendor discloses a problem with their code, it can take mere hours for bad actors to develop and share proof-of-concept malware that catches defenders off guard.

Getting caught out in the first 48 hours of a new vulnerability being made public is one thing, but the government is trying to get the message out that it’s unacceptable for businesses to be breached by attackers leveraging years’ old vulnerabilities.

Patch quickly, patch often

So why is it that organisations consistently fail to apply the latest security updates?

Louay Ghashash is director of Victoria cyber consultancy Spartans Security. He told Information Age that there were many legitimate reasons why organisations might struggle to stay on top of keeping their systems patched.

Legacy systems, the need for extensive testing, systems having to restart, and patches not being backwards compatible are all reasons why it can be challenging for enterprises to stay updated.

“That does not justify poor patching, but it highlights the need for a balanced approach,” Ghashash said.

“When you can’t patch, like for those reasons, you must implement compensating controls. This will assist in buying you time until you have proper patching in place.”

He recommends a method known as segment and monitor: isolate legacy systems and keep them cut off from the internet, restrict host-to-host communications with smaller services to limit lateral internal network access, and closely monitor anything that can’t be immediately patched.

Ghashash estimates that a lack of patching accounts for the vast majority of breaches in Australia.

International security company Sophos said data from its incident response teams point to software vulnerabilities as the number one cause for organisations getting breached, even when patches are readily available.

“The reason Aussie organisations find it hard to patch these systems is that many do not realise the onus is on them to consume and apply the patch,” Aaron Bugal, regional field CTO Sophos told Information Age.

While business owners might be conscious of when an application or their operating system has to update, Bugal explained that it’s often the “mission critical systems they can’t see day-to-day – email platforms, collaboration tools and even third-party security systems” that might need unprompted manual patching.

“This is exacerbated by businesses not having robust plans around the cyclic review of mission-critical systems and potential updates needed, all compounded by lacklustre governance from business owners on accountability of maintaining a holistically secure environment,” he said.

“Better education and governance around what it means to be secure is desperately needed.”

Indeed, strong businesses and citizens are among the government’s six ‘cyber shields’ that will feature in its latest, soon-to-be released cyber security strategy, the creation of which saw consulting firm McKinsey handsomely paid.