PATCH MANAGEMENT – WHAT IS IT, AND WHY IS IT IMPORTANT?

Why is it overlooked, and what are the risks?

How often do you click “install later” when a reminder to update your system pops up on your device? Installation usually means pausing whatever you are doing, and sometimes waiting a considerable amount of time for the update to complete. It’s an interruption bordering on an inconvenience. If you delay an update on your cell phone, you probably don’t expose yourself to too much risk. Ignoring a vulnerability in your network and neglecting to apply a patch could have much more serious consequences.

Patch or update?

You may hear these terms used interchangeably, but they are slightly different. Patches and updates serve a similar purpose, but a software update is generally considered more extensive. A patch is a small adjustment to code, which updates one component of the software. It may serve to fix a bug or error discovered after a product release. Another term you may hear is “hotfix”. This simply means a patch that can be applied without having to reboot your system.

A software update may contain patches and fixes, but it often also involves new functionality. With the explosion in smartphone apps, even the least computer-literate among us have become used to regular updates of these apps and the new features they often herald. A service pack is an update on a bigger scale, usually bundling together a batch of fixes that can be installed at one time.

You snooze, you lose (data)

Why is it so important to update the software when prompted, as a user, and to apply patches when they are released, if you are a network manager? It can be very tempting to hit the “snooze” button if you are busy with something else at the time.

However, failing to install patches and updates timeously puts your system at risk. Not only is out-of-date software slow and lacking all the available functionality, but system vulnerabilities also expose you to the risk of cyberattacks. Some patches are in response to known threats, but more often, the software manufacturer spots the weakness and develops a security patch before hackers become aware and write their own code to exploit the weakness. Neglecting your patch management is like leaving the door to your home unlocked and the gate open. It might not be spotted immediately, but sooner or later an opportunistic criminal will walk by your house and, before you know it, you’ve become the neighbourhood’s latest crime victim.

Not a patch on the cybercriminals

Cybercrime is on the increase. We’ve covered the types of cyberattacks you might fall prey to in a previous article. Here’s a reminder of what you stand to lose if you fall victim to a malware or ransomware attack as a result of not patching your system when you should:

  • Time – restoring systems and recovering data takes time. Not only does network recovery consume valuable IT resources, who could be doing something more constructive, you also lose uptime. In the case of a website, that could mean sales. If your internal systems go down, your staff may not be able to carry out critical tasks.
  • Cost – a malware attack costs money. You may or may not pay the ransom in a ransomware attack, but there are still costs involved in restoring data, cleaning systems, etc.
  • Productivity – if any aspect of your business model is non-functioning, whether that is staff, telephone lines or website, you lose productivity. And that means you lose money.
  • Data – losing data means losing all of the above. But your data itself is extremely valuable and may be sensitive. If a cybercriminal gains access to your customer or employee information, there could be legal and reputational repercussions on top of the time and cost consequences.

Why aren’t patches installed urgently?

With all these ramifications, why would anyone take the risk of delaying an essential update or fix? Are network managers just lazy? Not at all. They are extremely busy people working hard to maintain service and keep systems functioning so the business can perform to its full potential. And therein lies part of the problem. Installing a security patch often…indeed usually…creates a service interruption. This can be short or long. Sometimes updates can be done at night or on weekends when the demand is lower. But it is rare that the downtime needed to install a patch doesn’t cause some inconvenience to either the organisation or its customers.

Sometimes network managers just can’t keep up. There are a lot of security patches released every year. Microsoft reckons its software engineers discover up to 6000 vulnerabilities per annum. If you think of the multiple systems you run – MS Office, accounting, payroll, ERP, specialist industry packages, website, etc. – you can see what a gargantuan task your IT team has to keep on top of all the relevant patches. Inevitably, they have to prioritise certain systems and vulnerabilities.

Sometimes a patch can affect the functionality of a system. Most patches are tested before release, to ensure no negative consequences. But for various reasons that don’t always happen, and sometimes using the patch to fix a vulnerability can cause too many problems for dependent systems. The patch can also impact the performance of the system. Not long ago, an update to Apple’s iOS for iPhone 7 caused the authentication of certain apps to fail. It was soon fixed with the next update, but until then it was an inconvenience to users.

Patch management strategies

57% of data breaches are reportedly caused by poor patch management. Effective patch management should not be left to chance and should not be approached in a just-in-time fashion. Although you may not be able to anticipate which part of your system will reveal a vulnerability, you can have proactive procedures in place to ensure you apply patches and update your systems as punctually and expediently as possible.

There are several processes involved in patch management:

  1. Scan networked devices for missing software updates. It is useful to first conduct a thorough inventory of your network. Quite often, breaches happen via a neglected or forgotten system or device.
  2. If you have an extensive network, you may need to categorise your systems according to risk and priority. Establish criteria, such as critical vs. non-critical, browser vs. operating system.
  3. Download patches when they become available. Become familiar with your software vendors’ patch release schedules.
  4. Test patches if possible.
  5. Apply the patches to the relevant devices and systems.
  6. Ensure proper installation of patches.
  7. Monitor patches for functionality and performance issues.
  8. Report – it’s not essential to your patch management, but regular reporting is a useful tool for keeping track of your updates and any associated issues over time.

The more automated your patch management process, the greater the likelihood of finding vulnerabilities and patching them before the hackers find you. Cloud-based patch management software can schedule regular scans and apply patches automatically. For Windows, there are different software updating services available that correspond to the size of your networked environment.