It may seem implausible to discuss the relationship between return on investment (ROI) and patch management. After all, patch management — applying and managing updates to applications — doesn’t generate earnings for the organization. However, while patch management may not contribute to revenue earnings, loss prevention certainly impacts the company’s overall bottom line.
In other words, cost reduction is an implicit ROI of patch management. So, how much money can patch management save your company? It depends on how much an unpatched software vulnerability or bug would have cost your organization. This, in turn, depends on which applications were attacked, what data was compromised, and most importantly, how fast the attack was controlled.
Every security vulnerability — whether targeted or non-targeted — can profoundly cost the organization. This post explores patch management costs and considerations for effectively managing those expenses.
Factors That Affect the Cost of Patch Management
There is no one-size-fits-all answer to how much patch management costs every business. However, certain factors are crucial when making that evaluation. For example, you need to evaluate both tangible costs — actual money spent on repairs and containment measures — and intangible costs such as lost revenue and compromised assets, operational disruption, and brand damage.
Below are some aspects to consider when evaluating the actual cost of patch management:
1. Human resources
Hiring and retaining certified cybersecurity experts is essential in today’s business environment because such professionals can help the organization develop novel ways of combating new security threats. However, as cyberattacks have exponentiated, so has the demand for certified cybersecurity experts, which are few.
Virtually all businesses — irrespective of their sizes — have had to engage the services of external cybersecurity experts to recover from security breaches. Recruiting such experts can be costly, and those costs can mean death for an organization. In fact, 60 percent of small businesses will go out of business within six months of a breach.
2. Time required to patch
The application of security patches shouldn’t rely on manual methods. But that’s precisely what many companies essentially do, either through direct IT involvement or a reliance on end users to apply updates as they come in. Not only does this waste valuable time, it can cost an organization more than just dollars and cents.
The process becomes even more tedious and cumbersome when considering the surging number of endpoints in organizations. According to Endpoint, it can take up to 102 days to patch applications. This means that a vulnerability can remain on the enterprise network for months on end.
Since the patch management process is also disruptive to employees, most of them often choose to “turn off auto-updates” to avoid interruptions to their work. This can lead to missed crucial patches that can help the system operate more securely and seamlessly.
3. Patch frequency
Another way to figure out security patch management costs is to look at the frequency of applying patches. Because patch management is a critical function, IT teams must aim to conduct some form of patch reporting as regularly as possible. For example, a daily patch routine can include simple inventory scans consisting of physical and virtual assets to ensure that no apparent flaws exist in the company’s established safeguards.
This can be followed by more detailed assessments occurring at longer intervals such as weekly or monthly to deal with the intricacies of your IT infrastructure. The frequency of these operations can be overwhelming for IT teams, potentially impacting their overall productivity.
4. Number of systems affected
Patch management is an essential component for keeping applications secure and functioning correctly to support the business’ bottom line. Suppose some applications, such as mission-critical systems, experience even minimal downtime due to an unpatched vulnerability.
In that case, the company can suffer adverse consequences in terms of productivity, lost revenue, and brand reputation. If the bug affects many systems, the estimated cost of business disruption and lost customers can be high.
The Costs of Security Incidents
Cybersecurity costs can be grouped into three categories: before the attack (threat response), while under attack (restoring systems), and disruptions (downtime). For the purpose of this analysis, we’ll treat the two later costs independently, even though they may overlap.
1. Threat response costs
Patch management is one strategy that companies usually employ as a precaution to prevent cyberattacks. Due to its widespread use and apparent impact on business processes, patch management has direct and indirect costs to the organization. As an infinite process, patching is complex and time-consuming.
It confines your IT administrators to a reactive state, compelling them to continually play catch-up with processes such as:
- Downloading the patch from a trusted vendor and validating it for integrity.
- Testing the patch to ensure it will not affect other applications.
- Notifying the affected users and customers about scheduled downtimes if necessary.
- Rollbacks and remediation measures if needed.
Because of the processes mentioned above, the formula for computing the costs associated with threat response becomes:
Total annual threat response costs = [(Cost of patching a single event) * (Number of patching events)] + [(Preparation and detection costs) * (Number of reported incidences)] + [(Total annual ongoing expenses)]
The total annual ongoing expenses is the cost of patch management tools that you’ll use to calculate preparation and detection costs.
2. System restoration costs
These are costs associated with reverting the system to the previous state to recover from malfunctions and other problems emanating from unpatched security bugs. To calculate the costs for this phase, you have to figure out forensic efforts and business loss associated with system quarantine.
Undertaking a forensic analysis requires the services of certified cybersecurity experts who will help the company to understand the nature of the attack and how to avoid it in the future. Forensic costs will largely consist of the salaries or fees for such experts. The longer the phase takes, the greater the costs the company will incur.
Besides forensic analysis, some or all aspects of business processes may be affected during the attack containment stage. For example, data may become inaccessible in ransomware attacks. The longer the business remains quarantined, the higher the organization costs because employees may not work when their machines are quarantined, and servers may not run business applications.
3. Downtime costs
Downtime costs are lost revenues that a company forfeits when its system stops functioning. Some of these costs include:
- Reputational damage and lost business. If the security breaches hit the headlines, the company can lose out on revenue in terms of:
- Customer churn. Customers can terminate their relationship with the business due to the attack.
- Reduced customer acquisition. The number of prospects can decrease.
- Ransoms. The organization can be forced to pay a ransom to avoid negative publicity and brand damage.
- Compensation claims. The organization may be legally compelled to compensate employees or customers if their personal data gets compromised.
- Business disruptions. External remediation measures can result in extra processes to be undertaken, such as launching a costly public relations (PR) exercise, customer support, and legal actions.
Save Time and Money with Cloud-Based Patch Management
None of the applications your organization uses for day-to-day operations is flawless. Because many vendors often release the patches on an ad hoc basis, you can’t simply wait to deploy them when it’s convenient. Leaving your enterprise resources unpatched can compromise the organization, resulting in severe financial losses.
The JumpCloud Directory Platform® is a modern cloud directory platform you can leverage to save time and costs associated with cloud patch management. IT teams can use the platform’s remote device management capabilities to create schedules and manage their Windows operating system (OS), macOS, and Ubuntu Linux patch processes from a single pane of glass. This provides greater visibility and reporting while allowing IT teams to strengthen the endpoints’ security posture.
JumpCloud comes with a simplified pricing structure where you only pay for what you need — at scale. With just one annual license, you can start enjoying the software’s full potential with features such as cloud multi-factor authentication (MFA), single sign-on (SSO), device management, and Zero Trust security, among others.
Check out our price calculator to learn more about JumpCloud’s overarching approach to cost management!