Why Is Patching a Problem? Reasons Behind Resisting a Surefire Cybersecurity Best Practice

October 25, 2018

Mario Solivan, Network Infrastructure Consultant

This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.

U npatched computers, servers, and devices are one of the top three reasons for cyber breaches. (The other two reasons are poor passwords and untrained people). This type of breach isn’t caused by some unknown reason. It stems from a known issue. A patch (or fix) already exists, and the breach occurs because the patch hasn’t been applied.

According to Gartner, “Zero-day vulnerabilities made up only approximately 0.4 percent of vulnerabilities during the past decade.” A “zero-day vulnerability” is a technical term for a security vulnerability that no one knows about until the first day (“zero day”) it happens. Gartner is pointing out that 99.6 percent of security vulnerabilities over the last 10 years are from known (and preventable) issues.

So, why is patching a problem? Let’s look at some of the reasons why cities and organizations resist patching.

1. Fear of breaking old, obsolete hardware and software
Lack of patching sometimes indicates a deeper root cause: lack of technology modernization. Many cities cling onto old, obsolete hardware and software out of habit, familiarity, inertia, or a fear that switching to new technology will be costly and interruptive. Yet, that old technology becomes more of a liability as time goes on. Five years can sometimes be too long to use technology, and yet it’s not uncommon to see cities using hardware and software that’s 10 or more years old.

When technology ages, vendors stop supporting it—including delivering security patches. That means the older your hardware and software, the less secure it becomes. And even when vendors still deliver extended support patches, some cities don’t apply those patches fearing they will break their already shaky technology. If you’re afraid to patch because you fear breaking hardware and software, then you absolutely need to modernize.

2. Interruptions to employee work
In the classic business book, The 7 Habits of Highly Effective People, Stephen Covey talks about “sharpening the saw.” To illustrate the point, he describes a person trying to cut down a tree with a dull saw. When the person is asked why they don’t sharpen the saw, they say there is no time because they must cut down the tree.

Patching is the “sharpening the saw” of your technology. Not patching because you fear interrupting employee work dulls your technology so that employees will become unproductive anyway through slow applications, frozen computers, and even viruses. Proactive planning can alleviate some of your fears about interrupting employee work (such as patching outside of normal business hours).

3. Manually-applied patches takes up valuable time
As a valid issue, many organizations struggle with the amount of time that manual patching takes. The larger an organization, the worse this problem becomes. If this is a problem for your city, then you might want to see if one or more of the following situations applies:

  • You’re understaffed. If you have one overworked IT person trying to put out fires every day, then patching will be difficult to fit into their schedule.

  • You’re not taking advantage of automated tools. Certain aspects of patch management can be automated by tools that may help you tackle critical vulnerabilities or apply patches that have a low risk of disrupting your operations.

  • You’re not hiring experienced IT engineers who can implement efficient processes for applying patches. Many times, cities simply have no process for patching. They do it when they get to it, and they may handle the process differently each time. Experienced IT engineers will have processes in place to make patching repeatable, as seamless as possible, and as automated as possible while still maintaining oversight.

4. Too many patches
The total volume of patches can be a challenge even for experienced IT engineers. When there are too many patches needed for a variety of applications, it’s easy to get overwhelmed and somewhat give up when this river of patches seems to flood you no matter what you do.

If this is a problem, then you may need help prioritizing patches. Setting up a process that ensures the most critical security vulnerabilities are patched first, your most critical applications are addressed before noncritical applications, and less critical patches are tackled later may help you deal with patch volume.

5. City leadership not understanding the importance of patching

Does your city manager and elected officials receive reports about finances?

How about departmental reports?

How about cybersecurity reports?

You probably answered “yes” to the first two questions but more likely answered “no” to the third. After all, cybersecurity is for the IT people, right?

Wrong. Reporting on cybersecurity doesn’t mean boring city leadership with technical details. But it does mean letting them know about risk, liability, and threats that may seriously impact city operations. Your department heads and IT staff may be fully aware of the need for patching, but if city leadership has no visibility into it and doesn’t know why it’s important, then they won’t prioritize it. Instead, they will focus more on saving money and getting big projects done fast without prioritizing patching and security at all—until a cybersecurity incident happens. At that point, it’s too late.


While patching can challenge cities, they can more aggressively stay on top of this important activity by:

  • Hiring experienced IT engineers who understand the patch management process.
  • Building a proactive patching plan that alleviates operational hassles such as employee interruptions and manual staff time.
  • ​Modernizing technology so that patching is easier and reduces the risk of “breaking” any applications.

Back to Listing