Many UK organisations suffered data breaches when criminals exploited a vulnerability in Progress Software’s MOVEit file transfer app, but with the right patch management the impact could have been greatly reduced.
Those with Cyber Essentials may have been at an advantage as the scheme helps organisations identify gaps in patch management through auditing of installed software.
Progress Software reported the critical vulnerability in its MOVEit cloud and software-based services in May revealing that attackers could make unauthenticated SQL requests to an organisations’ on-premises SQL server, allowing them to access sensitive information.
Some organisations were slow to apply the required patches, resulting in major breaches.
Zellis, a payroll service provider, reported in June that it had suffered a data breach to a “small number” of its customers, including the BBC, Boots, British Airways, and Aer Lingus.
Whether Zellis had enough time to implement the required patches or not, the breach highlights the need for organisations to have robust patch management systems in place. Generally, it is recommended to have general patch management processes in place, as well as emergency patch management for such scenarios as the MOVEit vulnerability.
Cyber Essentials certification can help an organisation identify gaps in its patch management through auditing of installed software. Regular vulnerability scanning can also aid an organisation to identify weaknesses, allowing for improvements to be made.
See here for the NCSC article on the Zellis incident.