The IT department at Henderson & Wright Logistics has confirmed that a critical security patch flagged as ‘urgent’ by their software vendor in February remains uninstalled, with senior infrastructure engineer Martin Gallagher describing the situation as “about standard, really”.
The update, which addresses what the vendor characterised as a ‘catastrophic vulnerability’ in the company’s customer database system, has been the subject of seventeen separate email warnings, three webinars that nobody attended, and one rather desperate phone call that went straight to voicemail.
Gallagher, who has worked in IT support for nineteen years and has the resignation in his voice to prove it, explained that the patch had been “on the list” since March. “We’ve got it scheduled for the next maintenance window,” he said, gesturing vaguely towards a planning board that still showed February’s dates. “We just need to find a time that works for everyone, which is proving a bit tricky.”
The maintenance window in question would require taking the system offline for approximately forty-five minutes, ideally between the hours of two and four in the morning on a Sunday. This has so far been deemed impossible by management, unworkable by the operations team, and “potentially disruptive to the customer experience” by someone in marketing who does not appear to understand what any of the words in the security bulletin actually mean.
When asked whether the eight-month delay posed any significant risk to the organisation, Gallagher offered a lengthy pause before responding. “Well, yes, obviously. But then again, we’ve been fine so far, haven’t we.”
The vendor’s increasingly frantic correspondence now sits in a dedicated email folder titled ‘Action Required’, which currently contains 4,287 unread messages dating back to 2019. This folder exists alongside others named ‘Urgent’, ‘For Review’, and, somewhat optimistically, ‘This Week’.
Sarah Pemberton, Henderson & Wright’s IT director, acknowledged the delay whilst simultaneously defending it with the kind of circular logic that can only emerge from years of organisational atrophy. “We absolutely recognise the importance of security,” she said. “That’s precisely why we can’t rush into something like this without proper planning, stakeholder consultation, and a comprehensive risk assessment. We’re hoping to begin the preliminary discussions about scheduling that assessment sometime in Q4.”
She added that the department had recently attended an excellent seminar on cybersecurity best practices, which had really opened their eyes to the importance of timely patching.
The security update, which can be installed with three mouse clicks and a server restart, remains pending. Gallagher noted that he’d managed to update his personal laptop over lunch last Thursday, which had taken about six minutes including the time he spent making a cup of tea.
A second critical vulnerability, disclosed by the vendor last week, has already been added to the list. Gallagher expects to start seriously considering it around April.