Organisations still haven’t got the patch management memo

Tim Brown, VP of Security at SolarWinds MSP, looks at how a renewed focus on security basics is necessary to keep businesses safe from attack.

New cybersecurity defence systems promise to keep us safe from increasingly sophisticated hacking techniques. AI and machine learning solutions are touted as the future, reacting in real time and without human intervention to the latest attacks that cybercriminals devise. A simple rules-based defence is no longer enough to protect valuable data – instead attacks will be discovered and prevented automatically by smart defences that operate independently and only need oversight from humans.

It’s a compelling story. How can businesses ever cope with a complex and ever-changing security landscape when the enemy has all the latest tools at their disposal? Surely they need the latest defences to cope with the latest attacks.

However, most businesses are a long way from needing the kind of security sophistication that would warrant help from AI. For them to apply this level of security would be like employing Terminator-style cyborg guards to protect a building with busted locks. Wouldn’t it make more sense, and be cheaper, to fix the locks first?

The importance of patch management

A patch is more than just a collection of bug fixes and code to repair vulnerabilities – every patch divides a community of software users into haves and have-nots. The division is between those who have applied the patch and those who have failed to do so. For hackers, it’s far easier to go after those systems that have not been patched. It’s like the old joke about two hunters being chased by a hungry bear. “I don’t have to outrun the bear,” says one hunter to the other, “I just have to outrun you.”

Just like the bear, cybercriminals are far more likely to target those who have fallen behind in their patch management. They even have a handy list based on the latest software fixes that gives them the best way to target them. Published patch and release notes – commonly used by hackers as part of their recon before building an attack – explain which vulnerabilities have been solved, giving hackers clues as to how unpatched systems can be compromised. Patch management is basic cyberhygiene and should be followed by everyone – not just businesses. Our research, performed in partnership with IDC, found that only 27% of businesses surveyed cite patch management as part of their security setup.

Getting patch management right

Patch management needs to be at the top of anyone’s security priority list. It’s a necessary part of security – it’s called cyberhygiene for good reason. It is an everyday mundane task that’s absolutely critical.

Patch management can be done manually, but this is only viable for the smallest of businesses. After all, it’s not just desktop PCs and laptops that need to be kept up to date, but tablets, printers, servers, smartphones, and myriad IoT devices. Larger businesses will need either software to help manage this, or the help of an outsourced managed services provider to look after IT problems. In fact, an inability to keep up with patches is probably a good indicator that outside help is needed.

A patch management program is more than just the software used to manage what needs to be patched, but is a combination of product, people, and software. Some systems simply can’t be patched due to compatibility or other reasons, or can only patched during certain times as uptime is crucial. A patch management program will measure and understand the risk of particular systems being unpatched, highlight the most important patches and take care of them first.

Once patch management policies and methods are in place, then decisions can be made on what patches should be applied. It’s not a bad idea to apply every available patch, but once an IT team has a better understanding of a specific situation, a judgement can be made on whether the risk to the business is worth the risk of installing a patch. If it fixes a very minor vulnerability but could mean major disruption if something goes wrong, maybe it’s right to delay it until its effects are better known.

Even if some patches are delayed, then the business will be in far better shape with a patch management program than without, putting themselves way ahead of the bear – and its other potential targets.

Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.

Read the latest edition of PCR’s monthly magazine below:

Check Also

AI will reshape the finance sector – here’s how

Artificial intelligence (AI) is set to play an ever-increasing role in financial services and will …