Only 6 in 10 firms say their software is always up-to-date

A new report from F-Secure reveals that most companies lack the resources to update legacy applications, with this potentially being a serious security risk.

Slow start for cyber attack rescue service
Slow start for cyber attack rescue service

Drawing on data from its 2013 annual report, the security vendor says that, whilst 94 percent of SMBs (small- to mid-sized businesses) think it is important to keep software updated, only 59 percent of companies report that their software is always up-to-date. 

Perhaps more surprisingly, only 63 percent of businesses say they have enough resources to keep their software updated. 

The key question is why they lack these resources. The report hints at the answer when it says that SMBs are spending an average of 11 hours a week on software updates. On top of this, the larger the company, the more time that the firm spends on patches and updates. Interestingly, businesses with more than 250 employees are reported as spending more than 15 hours a week on updates. 

According to Pekka Usva, F-Secure's VP of corporate security, even the time companies do spend on updates only touches the tip of the iceberg. 

“A common misconception is that the problem is the operating system," he said, adding that operating systems are fairly well maintained and updated. 

"The real problems are third party applications for both business and personal use – Skype, Adobe Reader, browsers with various plug-ins and Java, to name a few," he explained. 

F-Secure says that 70 to 80 percent of the top ten malware detected by its F-Secure Labs research operation could have been prevented with up-to-date software. 

One of the most interesting take-outs from the research is that some SMBs are not only embracing BYOD (bring your own device), but are also allowing staff to use their own software on the company's computers. F-Secure claims that almost half of the 805 respondents to its survey tolerated staff using their own software. 

Researchers found that this was particular true of smaller companies, with 56 percent of firms of less than 50 employees allowing the use of personal applications, falling to 39 percent of firms with 250 or more employees. 

Delving into the research reveals that two-thirds (67 percent) of companies that allow staff to use their own software also expect the employee to update their applications themselves. This percentile rises to a hefty 81 percent among businesses of under 50 employees. 

The report also notes that just 30 percent of respondents worked at companies where the firm only took care of Microsoft software updates. 

Commenting on the research - which took in responses from companies of up to 500 employees in size across eight countries (covering the UK, Europe and the US) - Professor John Walker of Nottingham-Trent University's School of Science and Technology, said this is an issue that crops up in companies time and again. 

"It's all too common - and in some cases it's about the poor controls in place within organisations to get the latest updates out," he said, adding that, in other instances, it is often about the internal processes that require the use of testing for updates before installing them on a businesses' critical IT systems. 

"And then of course, there are the SMEs who don't always have the in-house support to get to all their systems updated in a timely manner," he said. 

"However, one fact that is always close to hand is the problem that, even as soon as an update is delivered, there is an argument to say that the update itself is out of date," he added. 

Walker, who is also director of CSIRT and cyber forensics with Integral Security Xssurance, went to say that this problem is most notable where anti-virus software is concerned, as it also tells us that yesterday's technology no longer delivers anything like the silver security bullet for which IT professionals are constantly searching. 

"If anything, with outdated software, the silver bullet tends to take on more of a tarnished bronze tinge," he explained.