Security experts warned last week that the window of opportunity for patching vulnerable systems would narrow to 15 minutes by the end of this year. IT managers may need to rethink their protection strategies accordingly.

Fred Cohen, principal analyst at research firm Burton Group, said the days of firms enjoying a grace period of a year between a patch being released and an exploit being distributed were gone.

He told delegates at last week's Infosecurity Europe show that worms are now usually ready within 24 hours. "You need to start thinking about your approach to patch management when this gets down to 15 minutes," Cohen said. "That'll probably be by the end of this year."

The faster release of worms means that patching is becoming less effective. "To do patching well, you have to test first, but you can't if a worm is written and distributed in an hour," said Cohen. Within an hour of a patch being released, 80 percent of infect-able machines could be infected, he added.

Stuart Okin, Microsoft's chief security officer in the UK, said that at the start of this year the firm still noticed a lot of Blaster activity, almost a year after the worm's initial release. Microsoft released a clean-up tool to ensure customer systems were protected, which would only download onto machines meeting two criteria - those set for automatic updates and with a Trojan on their hard disk. "In the first week, we had 5.5 million distinct downloads," said Okin.

Gerhard Eschelbeck, chief technical officer for security vendor Qualys, argued that organisations need to rethink their patching strategies. He advised companies to use automated patch management systems to allow them to focus resources on other areas of IT security.

John Meakin, group head of information security at Standard Chartered Bank, said it was inevitable that vendors would continue to produce software with vulnerabilities. "This is a game of catch up. Rule number one is to manage your time and look at how best to use it on your assets," Meakin commented. "Those who have experience in disaster recovery can apply some of the same skills to this."